Return to previous page

New SQL injection vulnerability discovered

This topic has 3 replies, 2 voices, and was last updated 1 days, 21 hours ago ago by Jack Richardson

Kristjan

Participant

February 15, 2025 at 14:27

I have discovered new SQL injection vulnerability in latest version.

Only plugins and themes installed on test page:
Wordpress version: 6.7.2
WooCommerce version 9.6.2
XStore Core version 5.4.7
Xstore Version: 9.4.7

Content is visible for topic creator and
support staff only.

#434422 Copied Theme version: 9.4.7 WooCommerce version: 9.6.2

2 Answers

Kristjan

Participant

February 16, 2025 at 14:23

ajax-search.php seems to have several vulnerability issues:

$args[‘s’] = trim( $this->request[‘query’] );
$args = apply_filters( ‘etheme_ajax_search_posts_query’, $args );
return get_posts( http_build_query( $args ) );

$query = trim( $this->request[‘query’] );
$args[‘s’] = $query;

query is coming directly from $_REQUEST[‘query’]
It is used in http_build_query($args), which constructs a query string
The search query is passed directly into get_posts() without sanitization
Potential SQL Injection if query is manipulated in a certain way
etc.

#434469 Copied

Jack Richardson

Support staff

February 17, 2025 at 08:39

Dear @Kristjan,

Thank you for your suggestion!

Could you kindly provide your advice or consult with your developers who conducted these tests to confirm whether it would be acceptable to modify the following line of code in XStore Core plugin:

$args['s'] = trim( $this->request['query'] );

to the following version using the sanitizer function:

$args['s'] = sanitize_text_field(trim( $this->request['query'] ));

If this modification is appropriate, we will implement this improvement globally in the next update.

We appreciate your feedback and look forward to your response.

Best regards,
Jack Richardson
8Theme Team

#434516 Copied
Viewing 3 results - 1 through 3 (of 3 total)