CVE-2022-0412
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks against WordPress sites using vulnerable versions of the TI WooCommerce Wishlist plugin. Attackers can execute arbitrary SQL commands through the wishlist/remove_product REST endpoint by manipulating the item_id parameter. All WordPress sites with the affected plugin versions are at risk.
💻 Affected Systems
- TI WooCommerce Wishlist WordPress plugin
- TI WooCommerce Wishlist Pro WordPress plugin
📦 What is this software?
Ti Woocommerce Wishlist by Templateinvaders
Ti Woocommerce Wishlist by Templateinvaders
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.
Likely Case
Data exfiltration from the WordPress database including user credentials, sensitive customer information, and site configuration.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.
🎯 Exploit Status
Simple SQL injection via REST API endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.40.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2668899
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find TI WooCommerce Wishlist plugin. 4. Click 'Update Now' if update available. 5. If no update shows, download version 1.40.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable REST endpoint
allTemporarily disable the vulnerable wishlist/remove_product REST endpoint
Add to theme's functions.php: remove_action('rest_api_init', 'tinvwl_rest_api_init');
Web Application Firewall rule
allBlock SQL injection patterns targeting the wishlist endpoint
WAF rule: Block requests containing SQL injection patterns to /wp-json/tinvwl/v1/wishlist/remove_product
🧯 If You Can't Patch
- Disable the TI WooCommerce Wishlist plugin completely
- Implement strict network filtering to block external access to /wp-json/tinvwl/v1/ endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → TI WooCommerce Wishlist → Version number. If version is below 1.40.1, you are vulnerable.Check Version:
wp plugin list --name='TI WooCommerce Wishlist' --field=versionVerify Fix Applied:
After update, confirm plugin version shows 1.40.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed requests to /wp-json/tinvwl/v1/wishlist/remove_product
- Requests with SQL injection patterns in item_id parameter
Network Indicators:
- POST requests to /wp-json/tinvwl/v1/wishlist/remove_product with SQL payloads
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri_path="/wp-json/tinvwl/v1/wishlist/remove_product" AND (item_id CONTAINS "'" OR item_id CONTAINS "--" OR item_id CONTAINS "UNION" OR item_id CONTAINS "SELECT")