[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLmulQG-oj5gE2S3OmhHUmEBdekSCKqoxICTDtva-bwM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-11360","advanced-order-export-for-woocommerce-authenticated-shop-manager-sql-injection-via-sortdirection-parameter","Advanced Order Export For WooCommerce \u003C= 4.0.10 - Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter","The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The endpoint requires a valid woe_nonce and Shop Manager-level capabilities (view_woocommerce_reports or export_woocommerce_orders), and wp_magic_quotes protection is stripped via stripslashes_deep() before processing, allowing quote and backslash characters to survive intact into the SQL context.","woo-order-export-lite",null,"\u003C=4.0.10","4.1.0","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-17 16:45:50","2026-06-18 05:34:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0b395777-2e2a-4dc3-9b0c-ce4c9d22d7e9?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fexport-fields.js","assets\u002Fjs\u002Ffilters.js","classes\u002FFPDF\u002Fclass-woe-fpdf-tt-font-file.php","classes\u002FFPDF\u002Fclass-woe-fpdf.php","classes\u002FFPDF\u002Fclass-woe-pdf-mc-table.php","classes\u002Fadmin\u002Ftabs\u002Fajax\u002Ftrait-wc-order-export-admin-tab-abstract-ajax-filters.php","classes\u002Fcore\u002Fclass-wc-order-export-engine.php","i18n\u002Flanguages\u002Fwoo-order-export-lite.pot","researched",false,3,"This research plan outlines the technical steps to verify the authenticated SQL Injection vulnerability (CVE-2026-11360) in the \"Advanced Order Export For WooCommerce\" plugin.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated SQL Injection via the `sort_direction` parameter.\n*   **Location:** The vulnerability resides in the SQL generation logic within `WC_Order_Export_Data_Extractor` (triggered by various AJAX methods in `WC_Order_Export_Admin_Tab_Abstract_Ajax_Filters`).\n*   **Cause:** The plugin fails to validate or sanitize the `sort_direction` parameter before concatenating it into an `ORDER BY` clause. Although it uses `stripslashes_deep()` on the input, this actually removes WordPress's default magic quotes, allowing raw SQL metacharacters (like quotes and backslashes) to reach the database layer without proper preparation.\n*   **Impact:** A Shop Manager or Administrator can execute arbitrary SQL queries to extract sensitive data from the WordPress database, including user password hashes and secret keys.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `order_exporter`\n*   **Method (Parameter):** `get_used_custom_order_meta` (or any method calling `sql_get_order_ids`)\n*   **Vulnerable Parameter:** `sort_direction`\n*   **Authentication:** Requires a user with `Shop Manager` (or higher) capabilities.\n*   **Preconditions:**\n    *   WooCommerce must be active.\n    *   The attacker must possess a valid `woe_nonce`.\n    *   The attacker must have the `view_woocommerce_reports` or `export_woocommerce_orders` capability (default for Shop Managers).\n\n### 3. Code Flow\n1.  **Entry Point:** The AJAX action `order_exporter` is registered in the plugin's administration classes.\n2.  **AJAX Handling:** Requests are routed to methods within the `WC_Order_Export_Admin_Tab_Abstract_Ajax_Filters` trait. For example, `ajax_get_used_custom_order_meta()`.\n3.  **Nonce & Capability Check:** `check_nonce()` is called, verifying the `woe_nonce` parameter.\n4.  **Settings Processing:** `WC_Order_Export_Manage::make_new_settings( $_POST )` is called, which gathers settings from the request.\n5.  **SQL Generation (Sink):** `WC_Order_Export_Data_Extractor::sql_get_order_ids( $settings )` is called. Inside this method, the code likely appends `$settings['sort_direction']` directly to the SQL query string used to fetch order IDs.\n6.  **Stripping Slashes:** The plugin applies `stripslashes_deep()` to input, which allows characters like `'` to bypass WordPress's global sanitization and enter the SQL context.\n\n### 4. Nonce Acquisition Strategy\nThe `woe_nonce` is localized into the admin page using `wp_localize_script`. It is stored in the global JavaScript object `settings_form`.\n\n**Acquisition Steps:**\n1.  Navigate to the plugin's settings page: `\u002Fwp-admin\u002Fadmin.php?page=woo-order-export-lite`.\n2.  Use the `browser_eval` tool to extract the nonce:\n    ```javascript\n    window.settings_form?.woe_nonce\n    ```\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload to confirm the vulnerability.\n\n**Step-by-Step Plan:**\n1.  **Login:** Authenticate as a Shop Manager user.\n2.  **Nonce Capture:** Navigate to the export settings page and extract `settings_form.woe_nonce`.\n3.  **Baseline Request:** Send an AJAX request with `sort_direction=ASC` and measure response time.\n4.  **Injected Request:** Send an AJAX request with a `SLEEP()` payload in the `sort_direction` parameter.\n    *   **Payload:** `ASC, (SELECT 1 FROM (SELECT SLEEP(5))A)`\n5.  **Execution:** Use `http_request` (Playwright) to send the POST request.\n\n**Request Details:**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=order_exporter&method=get_used_custom_order_meta&woe_nonce=[NONCE]&sort_direction=ASC, (SELECT 1 FROM (SELECT SLEEP(5))A)\n    ```\n\n### 6. Test Data Setup\n1.  **WooCommerce:** Ensure WooCommerce is installed and set up.\n2.  **Order:** Create at least one test order so the query has data to process.\n3.  **User:** Create a user with the `shop_manager` role.\n    *   `wp user create attacker attacker@example.com --role=shop_manager --user_pass=password`\n4.  **Plugin Config:** No special configuration is needed; the default settings are sufficient.\n\n### 7. Expected Results\n*   **Baseline:** The response should be near-instant (e.g., \u003C 200ms).\n*   **Exploit:** The response should be delayed by approximately 5 seconds.\n*   **Response Body:** The response will be a JSON object (e.g., `[\"_billing_first_name\", ...]`) because the injection occurs in the query that fetches IDs for the meta-analysis.\n\n### 8. Verification Steps\n1.  Check the response time of the `http_request` call.\n2.  To confirm data extraction, use a boolean-based payload to check the first character of the database version:\n    *   **Payload:** `ASC, (SELECT 1 FROM (SELECT 1)A WHERE VERSION() LIKE '8%')`\n    *   If the condition is true, the response is normal; if false, the ordering logic might change the response data order or cause a different behavior (if the subquery returns no rows).\n\n### 9. Alternative Approaches\n*   **Error-Based:** If `WP_DEBUG` is enabled, try inducing a database error using `updatexml()` or `extractvalue()` to leak data in the response body.\n*   **UNION-Based:** If the `sort_direction` parameter is injected into a context that allows `UNION` (unlikely in `ORDER BY` but possible if the parameter is misused elsewhere), try to match column counts to reflect the admin password hash.\n*   **Other Methods:** Try other `method` values in the `order_exporter` action, such as `get_products_attributes_values`, as seen in `assets\u002Fjs\u002Ffilters.js`.","Advanced Order Export For WooCommerce (up to 4.0.10) is vulnerable to authenticated SQL Injection via the 'sort_direction' parameter. This allows attackers with Shop Manager-level access to execute arbitrary SQL commands and extract sensitive data by injecting malicious payloads into ORDER BY clauses during export metadata extraction requests.","\u002F\u002F classes\u002Fadmin\u002Ftabs\u002Fajax\u002Ftrait-wc-order-export-admin-tab-abstract-ajax-filters.php:84\n\npublic function ajax_get_used_custom_order_meta() {\n    $this->check_nonce();\n    \u002F\u002F Input settings are gathered from $_POST without validation for SQL keywords\n    $settings = WC_Order_Export_Manage::make_new_settings( $_POST );\n    \u002F\u002F The 'sort_direction' value in $settings is subsequently concatenated unvalidated into a SQL ORDER BY clause\n    $sql      = WC_Order_Export_Data_Extractor::sql_get_order_ids( $settings );\n    $ret      = WC_Order_Export_Data_Extractor_UI::get_all_order_custom_meta_fields( $sql );\n    $this->print_escaped_json( $ret );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-order-export-lite\u002F4.0.10\u002Fassets\u002Fjs\u002Fexport-fields.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-order-export-lite\u002F4.1.0\u002Fassets\u002Fjs\u002Fexport-fields.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-order-export-lite\u002F4.0.10\u002Fassets\u002Fjs\u002Fexport-fields.js\t2025-12-02 06:04:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-order-export-lite\u002F4.1.0\u002Fassets\u002Fjs\u002Fexport-fields.js\t2026-06-08 04:38:58.000000000 +0000\n@@ -644,7 +644,7 @@\n \tvar repeat_options_html = {};\n \n \tjQuery.each( localize_settings_form.repeats, function ( key, currentValue ) {\n-\t\trepeat_select.append( '\u003Coption value=\"' + key + '\">' + currentValue + '\u003C\u002Foption>' );\n+\t\trepeat_select.append( new Option(currentValue, key) );\n \t\trepeat_options_html[key] = [];\n \t} );\n\n... (truncated)","The vulnerability is exploited by sending an authenticated POST request to the 'order_exporter' AJAX action. An attacker with Shop Manager privileges retrieves a valid 'woe_nonce' from the admin dashboard and then triggers one of several vulnerable AJAX methods, such as 'get_used_custom_order_meta'. By supplying a malicious SQL payload in the 'sort_direction' parameter (e.g., 'ASC, (SELECT SLEEP(5))'), the attacker can manipulate the query execution. This is possible because the plugin removes WordPress's default slash-escaping via stripslashes_deep() and lacks parameter binding or allow-listing for the sort order suffix.","gemini-3-flash-preview","2026-06-25 21:53:51","2026-06-25 21:54:54",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.0.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-order-export-lite\u002Ftags\u002F4.0.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-order-export-lite.4.0.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-order-export-lite\u002Ftags\u002F4.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-order-export-lite.4.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-order-export-lite\u002Ftags"]