Wordfence Integrated WooCommerce Payments Remote SQL Injection Vulnerabilities (CVE-2015-1600/1601/1602)

Based on the provided screenshot, here is a summary of the vulnerability intelligence: ## Vulnerability Overview The page displays information regarding **Wordfence's Integrated WooCommerce Payments** plugin for WordPress, which contains multiple remote SQL injection vulnerabilities. However, there is a discrepancy in the page content: the top banner references an "A to Z Theme Pro Bug Bounty Challenge 4.0.4" offering $1,000 for vulnerabilities, while the detailed vulnerability information below pertains to "Wordfence's Integrated WooCommerce Payments." **Affected Plugin:** Wordfence's Integrated WooCommerce Payments **Affected Version:** 4.0.2 **Vulnerability Type:** Remote SQL Injection Three CVEs are identified: - **CVE-2015-1600**: High severity remote SQL injection - **CVE-2015-1601**: Medium severity remote SQL injection - **CVE-2015-1602**: Low severity remote SQL injection **Technical Details:** The plugin is vulnerable to remote SQL injection via the `order_id` parameter in the `wc_order` endpoint, allowing an attacker to potentially execute arbitrary SQL commands on the database server. ## Impact/Scope - **Software:** Wordfence's Integrated WooCommerce Payments (WordPress plugin) - **Version:** 4.0.2 - **Attack Vector:** Remote, via the `order_id` parameter in the `wc_order` endpoint - **Impact:** Database compromise through arbitrary SQL command execution ## Remediation The page indicates that remediation information is available through the Wordfence Intelligence database. Multiple "View Remediation" buttons are present, along with a "Download" option for remediation details. The standard remediation approach would involve updating to a patched version of the plugin. ## POC/Exploit No explicit proof-of-concept code is displayed in the screenshot. However, the attack vector is disclosed: - **Vulnerable Parameter:** `order_id` - **Vulnerable Endpoint:** `wc_order` The top banner mentions a $1,000 bug bounty program (active through April 15, 2015) for submitting vulnerabilities, suggesting this was part of a coordinated disclosure or challenge program.

Goal Reached Thanks to every supporter — we hit 100%!

Wordfence Integrated WooCommerce Payments Remote SQL Injection Vulnerabilities (CVE-2015-1600/1601/1602)

More from this source