mooSocial Store Plugin 2.6 SQL Injection via product parameter
Description
mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
mooSocial Store Plugin 2.6 is vulnerable to unauthenticated blind SQL injection via the product parameter in URL rewrite, allowing data extraction.
Vulnerability
The mooSocial Store Plugin version 2.6 (and all earlier versions) contains a blind SQL injection vulnerability in the URL rewrite functionality. The product parameter in the /stores/product/ endpoint is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. The vulnerability affects all versions of the plugin prior to the patched version 2.7 [1][2][4].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint. The injection point is the product URI parameter, which can be manipulated using boolean-based blind, time-based blind, or stacked query techniques. For example, appending AND SLEEP(5) to the product parameter causes a time delay, confirming the injection. No authentication or special privileges are required; the attacker only needs network access to the target application [2][4].
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, session tokens, or other confidential data. The blind SQL injection technique enables the attacker to retrieve data character by character without direct output. The impact is limited to information disclosure; no remote code execution or privilege escalation is reported [2][4].
Mitigation
The vendor released version 2.7 of the Store Plugin to address this vulnerability. Users should upgrade to version 2.7 or later immediately. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the product URI parameter allows unauthenticated SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to the `/stores/product/` endpoint, appending SQL injection payloads to the product slug in the URI. The exploit supports boolean-based blind injection (e.g., `AND 5011=5011`), time-based blind injection (e.g., `AND SLEEP(5)`), and stacked queries (e.g., `;SELECT SLEEP(5)#`) to infer or extract data from the database [ref_id=1]. No authentication or special privileges are required, and the attack is performed over HTTP.
Affected code
The vulnerability resides in the URL rewrite functionality of the mooSocial Store Plugin, where the product parameter in the URI path is passed unsanitized into database queries. The exploit targets the `/stores/product/` endpoint, which accepts a product slug (e.g., `2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65`) that is directly interpolated into SQL statements [ref_id=1].
What the fix does
The advisory states that version 2.7 is the patched version, but no patch diff or specific remediation details are provided in the reference material [ref_id=1]. The fix likely involves parameterizing the product value used in database queries or properly escaping the input before it reaches the SQL statement. Without the actual patch, the exact code changes cannot be described.
Preconditions
- configThe mooSocial Store Plugin version 2.6 (or earlier) must be installed and the /stores/product/ endpoint must be accessible.
- networkThe attacker must be able to send HTTP GET requests to the target server.
- authNo authentication or session is required; the vulnerability is triggerable by unauthenticated users.
- inputThe product URI parameter must be user-controllable and passed unsanitized into a SQL query.
Reproduction
1. Send a GET request to the vulnerable endpoint with a boolean-based blind payload: `GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND 5011=5011`. 2. Observe that the page returns normally (true condition). 3. Send a request with a false condition: `GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND 5011=5012`. 4. Observe that the page returns differently (false condition), confirming boolean-based blind injection. 5. For time-based confirmation, send: `GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65 AND SLEEP(5)` and note the 5-second delay. 6. For stacked queries, send: `GET /stores/product/2015-fashion-new-men-39-s-short-sleeved-shirt-slim-m-3xl-65;SELECT SLEEP(5)#` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/45330mitreexploit
- addons.moosocial.com/storesmitrethird-party-advisory
- www.vulncheck.com/advisories/moosocial-store-plugin-sql-injection-via-product-parametermitrethird-party-advisory
- moosocial.com/product/store-plugins/mitreproduct
News mentions
0No linked articles in our index yet.