Unauthenticated Blind SQL Injection in PPOM for WooCommerce <= 33.0.15

This repository contains a Proof of Concept (PoC) for an unauthenticated time-based blind SQL Injection vulnerability in the "PPOM for WooCommerce" WordPress plugin, affecting versions up to and including 33.0.15.

Vulnerability Details

• Plugin: PPOM for WooCommerce
• Affected Versions: <= 33.0.15
• Patched Version: 33.0.16
• Vulnerability Type: Unauthenticated Time-Based Blind SQL Injection
• CVE ID: CVE-2025-11391 (Assigned for tracking purposes)

Description

The vulnerability exists because the plugin fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, the get_product_meta() function in classes/plugin.class.php directly concatenates the $meta_id parameter into the SQL query without using prepared statements.

Vulnerable Code (classes/plugin.class.php):

function get_product_meta( $meta_id ) {
    // ...
    global $wpdb;
    $qry = 'SELECT * FROM ' . $wpdb->prefix . PPOM_TABLE_META . " WHERE productmeta_id = $meta_id";
    $res = $wpdb->get_row( $qry );
    return $res;
}

An unauthenticated attacker can exploit this by crafting a malicious payload and injecting it into the ppom[fields][id] parameter when adding a product to the cart. This allows the attacker to execute arbitrary SQL commands, such as time-delay functions (SLEEP()), enabling them to confirm the vulnerability and potentially exfiltrate sensitive information from the database character by character.

The vulnerability is triggered when the "Enable Legacy Price Calculations" option is active in the plugin's settings, as this forces the application to use the vulnerable code path during cart operations.

Repository Structure

└── cve-2025-11391/
    ├── exploit.py                  # The Python Proof of Concept script.
    └── woocommerce-product-addon/  # Vulnerable version of the plugin (v33.0.15).

Setup & Recreation Steps

1. Requirements

• A local web server environment (e.g., XAMPP, WAMP, MAMP).
• A fresh WordPress installation.
• The WooCommerce plugin installed and activated.
• Python 3.x with the requests library installed (pip install requests).

2. Lab Setup

1. Start your local web server (Apache, MySQL).
2. Install WordPress in a directory (e.g., /htdocs/wp4hacking/).
3. Install and activate the WooCommerce plugin from the WordPress dashboard.
4. Install the vulnerable version of woocommerce-product-addon (v33.0.15) provided in this repository by uploading the .zip file from the woocommerce-product-addon/ directory.
5. Activate the "PPOM for WooCommerce" plugin.

3. Vulnerable Configuration

1. In the WordPress dashboard, go to PPOM Fields > Settings.
2. Find the option "Enable Legacy Price Calculations" and check the box to enable it.
3. Save the changes.
4. Go to PPOM Fields and create a new Field Group (e.g., name it "PoC Group").
5. Inside this group, add a Text Input field. Give it a title (e.g., "SQL Injection") and a data name (e.g., sql_injection).
6. Go to Products > Add New to create a new WooCommerce product.
7. Give the product a name (e.g., "Product Testing") and a price.
8. On the product edit page, find the "PPOM Fields" tab and select the "PoC Group" you created.
9. Publish the product. Note the Product ID (e.g., 72).

Exploitation

The provided exploit.py script confirms the vulnerability by injecting a SLEEP() command and measuring the server's response time.

How to Run the Exploit

1. Open the exploit.py file and configure the following variables:

   • PRODUCT_URL: The full URL to the vulnerable product page you created.
   • add_to_cart_data['add-to-cart']: The ID of your vulnerable product.

2. Run the script from your terminal:

   python exploit.py

Expected Output

If the target is vulnerable, the server will take longer than the SLEEP() duration to respond, causing the script to time out. The script correctly interprets this timeout as a successful exploitation.

Attempting SQL Injection PoC (One-Step Method)...
Make sure 'Enable Legacy Price Calculations' is active.
[*] Sending SQL Injection payload...
   Request timed out after 10.00 seconds.

[+] SUCCESS! 'Read timed out' occurred because the SLEEP(7) payload was executed.
   The site is vulnerable to Time-Based Blind SQL Injection.

Mitigation

• Update Immediately: Upgrade the "PPOM for WooCommerce" plugin to version 33.0.16 or later.
• Use Prepared Statements: The patched version uses $wpdb->prepare() to properly sanitize the input, preventing the SQL injection.

Patched Code (classes/plugin.class.php):

$table = $wpdb->prefix . PPOM_TABLE_META;
$res   = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table WHERE productmeta_id = %d", $meta_id ) );

Disclaimer

This PoC is intended for educational and research purposes only. Do not use it on any system you do not own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this script.