• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerablity Disclosre

SQLi Vulnerability in YITH WooCommerce Wishlist

January 16, 2018John CastroEspanolPortugues

Security Risk: Dangerous

Exploitation Level: Easy/Remote

DREAD Score: 7/10

Vulnerability: SQL Injection

Patched Version: 2.2.0

581
SHARES
FacebookTwitterSubscribe

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store and is currently installed on 500,000+ websites.

Are You at Risk?

This vulnerability is caused by the lack of sanitization of user-provided data in versions below 2.2.0. An attacker (with at least a subscriber account) could leak sensitive data, and in certain configurations, could compromise your entire WordPress installation.

Please note that this is easily exploited in servers running MySQL versions before 5.7.  

The interesting part of this vulnerability – and the reason we wanted to generate this security advisory –  is that free “user registration” is usually enabled on sites using this plugin in order to allow user preferences (i.e. wish lists) to be stored and accessible for later use.

Technical Details

The vulnerable code is seen in line 523 of includes/class.yith-wcwl-shortcode.php in version 2.1.2. This code is part of the function get_products() which basically returns all wishlist elements for a specific user:

vulnerable code get_products() function

If attackers are able to set arbitrary values for the variable $limit they can modify the query in a way that can lead to a full compromise in several servers out there. One should not underestimate what can be done with an SQLi, nor how many servers allow attackers to get more than just encrypted hashes and user emails.

In order to reach the vulnerable query, an attacker will have to craft the request with the following parameters:

  • pagination value has to be “yes”
  • count variable has to be > 1 (this variable store the number of  wishlist elements for a specific user)
  • limit variable has to be set

The attacker can then fulfill all of these conditions via the shortcode yith_wcwl_wishlist defined in includes/class.yith-wcwl-shortcode.php:

vulnerable sqli injection code

vulnerable includes/class.yith-wcwl-shortcode.php

The only thing an attacker needs to do at this point, is create a user account and call the vulnerable shortcode as we described before in some of our posts.

Update as Soon as Possible

If you’re using a vulnerable version of this plugin, update as soon as possible to version 2.2.0!

In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to have the vulnerability patched virtually.

581
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Vulnerability Disclosure, WordPress SecurityTags: PCI Compliance, SQL Injection, Webserver Infections, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

PCI Compliance Guide

How to Clean a Hacked Website Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.