Alipay <= 3.7.2 - Authenticated SQL Injection

Vulnerability

The WordPress Alipay|财付通Tenpay|贝宝PayPal集成插件 (Alipay plugin) up to version 3.7.2 contains a SQL injection vulnerability in the /includes/tpl.edit_product.php file at line 65. The proid parameter from the GET request is directly concatenated into a SQL query without sanitization, escaping, or quote delimiters, allowing injection of arbitrary SQL fragments [1]. The affected file is part of the plugin's administrative interface.

Exploitation

An attacker must have Administrator-level access to the WordPress admin panel [1]. The exploit is triggered via a crafted GET request to wp-admin/options-general.php?page=ws_alipay&action=edit&proid=... where the proid parameter contains a malicious payload such as -5818 UNION ALL SELECT ... user() ... # [1]. The provided proof-of-concept demonstrates a UNION-based injection that retrieves database user information [2]. No other privileges or interaction beyond administrator access is required.

Impact

Successful exploitation allows an authenticated administrator to extract arbitrary data from the WordPress database, including user credentials and other sensitive information. The example PoC retrieves the current database user via the user() function [1]. The injection could also be extended to modify or delete data, though the primary impact is information disclosure. The attacker achieves the same privilege level as the admin user but can exfiltrate data not normally visible through the admin interface.

Mitigation

As of the latest disclosure (July 2021), no fix has been released by the vendor [2]. The plugin remains unpatched, and users are advised to either remove or disable the plugin until a security update is provided. No workarounds have been formally published. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.