POC详情: d7158b99a8dad77acad1e3baa04aa5bcb59e1bd5

来源
https://github.com/MooseLoveti/PagSeguro-Connect-Para-WooCommerce-CVE-Report
关联漏洞
标题: WordPress plugin PagBank / PagSeguro Connect para WooCommerce SQL注入漏洞 (CVE-2025-10142)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin PagBank / PagSeguro Connect para WooCommerce 4.44.3及之前版本存在SQL注入漏洞,该漏洞源于对参数status清理和转义不足,可能导致SQL注入攻击。
描述
Disclosure for CVE-2025-10142
介绍
# PagSeguro-Connect-Para-WooCommerce-CVE-Report

Disclosure for CVE-2025-10142

# CVE-2025-10142 - Vulnerability in PagSeguro-Connect-para-WooCommerce

This repository discloses a vulnerability discovered in [PagSeguro-Connect-para-WooCommerce <= 4.44.3](https://wordpress.org/plugins/pagbank-connect/),WordPress plugin developed by Ricardo Martins.

## 🛠 Affected Version

- **Product**: PagSeguro-Connect-para-WooCommerce
- **Version**: v4.44.3
- **URL**: https://wordpress.org/plugins/pagbank-connect/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-10142    | Authenticated (Shop Manager+) SQL Injection                | src/Connect/Recurring/Admin/Subscriptions/SubscriptionList.php             | Authenticated attacker can exfiltrate data     |  

---

## 🧾 Detailed a Description

### CVE-2025-10142 — Unauthorized Database Access And Data Exfiltration

 - **Affected Component**: rm-pagbank-subscriptions admin page
 - **Attack Vector**: Authenticated (Shop Manager or Administrator) via GET request
 - **Trigger**: By injecting malicious SQL into the status parameter, an attacker can extract sensitive data from the database via UNION-based SQL injection.
```
GET /wp-admin/admin.php?page=rm-pagbank-subscriptions&status=' UNION SELECT CAST(version() AS CHAR),2,3,4,5,6,7,8,9,10,11,12,13,14,15 -- -

```
 - **Impact**: Injected SQL is executed and the results are rendered in the HTML table in the admin page. Examples of extractable data include:
   - version() → Database version
   - user() → MySQL user
   - database() → Database name
   - SELECT user_login, user_pass FROM wp_users (hashed admin credentials)
   - Any data from wp_options, wp_usermeta, etc.
     
## ❓Reason for the vulnerability
 The status parameter is directly concatenated into a SQL query without escaping or using $wpdb->prepare()

 ```
 if (!empty($_REQUEST['status'])) {
            $status = sanitize_text_field(wp_unslash($_REQUEST['status']));
            $where .= " AND status = '$status'";
        }

 $this->items = $wpdb->get_results(
            $wpdb->prepare(
                "SELECT * FROM {$wpdb->prefix}pagbank_recurring WHERE $where ORDER BY  $orderby $order LIMIT %d OFFSET %d",
                $per_page,
                ($current_page - 1) * $per_page
            ),
            ARRAY_A
        );
 ...

 
 ```
 

 
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/pagbank-connect/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.
文件快照

 [4.0K]  /data/pocs/d7158b99a8dad77acad1e3baa04aa5bcb59e1bd5
└── [2.8K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。