Skip to content

Blind SQL Injection possible via Authenticated Web-hook Search API Endpoint

Critical
vedanshujain published GHSA-7vx5-x39w-q24g Jul 23, 2021

Package

composer woocommerce/woocommerce (Composer)

Affected versions

>= 3.3

Patched versions

> 5.5.1, 5.5.1, 5.4.2, 5.3.1, 5.2.3, 5.1.1, 5.0.1, 4.9.3, 4.8.1, 4.7.2, 4.6.3, 4.5.3, 4.4.2, 4.3.4, 4.2.3, 4.1.2, 4.0.2, 3.9.4, 3.8.2, 3.7.2, 3.6.6, 3.5.9, 3.4.8, 3.3.6

Description

Impact

This vulnerability impacts all WooCommerce sites running 3.3.0 or later of the WooCommerce plugin. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of /wp-json/wc/v3/webhooks, /wp-json/wc/v2/webhooks and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting search parameter information can be disclosed using timing and related attacks.

Patches

diff --git a/includes/data-stores/class-wc-webhook-data-store.php b/includes/data-stores/class-wc-webhook-data-store.php
index 7feed6e4cc..0815e28fe0 100644
--- a/includes/data-stores/class-wc-webhook-data-store.php
+++ b/includes/data-stores/class-wc-webhook-data-store.php
@@ -277,7 +277,7 @@ class WC_Webhook_Data_Store implements WC_Webhook_Data_Store_Interface {
                $limit           = -1 < $args['limit'] ? $wpdb->prepare( 'LIMIT %d', $args['limit'] ) : '';
                $offset          = 0 < $args['offset'] ? $wpdb->prepare( 'OFFSET %d', $args['offset'] ) : '';
                $status          = ! empty( $args['status'] ) ? $wpdb->prepare( 'AND `status` = %s', isset( $statuses[ $args['status'] ] ) ? $statuses[ $args['status'] ] : $args['status'] ) : '';
-               $search          = ! empty( $args['search'] ) ? "AND `name` LIKE '%" . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . "%'" : '';
+               $search          = ! empty( $args['search'] ) ? $wpdb->prepare( "AND `name` LIKE %s", '%' . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . '%' ) : '';
                $include         = '';
                $exclude         = '';
                $date_created    = '';

Workarounds

No workarounds are available for vulnerability.

References

A8C SIRT: p3btAN-1ve-p2 (internal)
Public disclosure: https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/

Severity

Critical

CVE ID

CVE-2021-32790

Weaknesses