CVE-2025-68519 WordPress Brands for WooCommerce Plugin <= 3.8.6.3 is vulnerable to SQL Injection

image

WordPress Brands for WooCommerce Plugin

Overview

  • Published: 2025-12-24
  • CVE ID: CVE-2025-68519
  • Affected Plugin: WordPress Brands for WooCommerce
  • Affected Versions: <= 3.8.6.3
  • Vulnerability Type: SQL Injection vulnerability

Description

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection.This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3.

image

According to the official changelog, the vendor released version 3.8.6.4 to address this critical security issue. The release notes explicitly mention the following update:

- Fix – SQL vulnerability in shortcodes

This confirms that the SQL Injection vulnerability was present in version 3.8.6.3 and earlier, and specifically identifies the plugin’s shortcode functionality as the vector for this flaw. Users are strongly advised to update to version 3.8.6.4 or later to mitigate this risk. For the purpose of reproducing the vulnerability and debugging, I downloaded version 3.8.6.3 for testing.

Patch & Commit Analysis

image

Looking at the patch, the developer replaced the insufficient trim() function with sanitize_title_for_query(). This WordPress core function sanitizes the input specifically for query contexts by removing unsafe characters (such as single quotes), effectively neutralizing the SQL Injection vulnerability.(Ref:https://developer.wordpress.org/reference/functions/sanitize_title_for_query)

Root Cause Analysis: From Source to Sink

image

After executing the function, the breakpoint at $brands_include = explode(',', $atts['brands_include']); is triggered. As seen in the screenshot, the $atts['brands_include'] variable successfully captures our SQLi payload.

image

Using step over, now code will run into foreach loop, i will skip this loop.

image

I proceeded to step over the foreach loop. Inside the loop, the code enters the sanitization block: $brands_include_checked[] = trim($brand_include).

Vulnerability Point: The developer uses the trim() function, which only removes whitespace from the beginning and end of the string. Crucially, it does not escape or remove single quotes (‘) or other special SQL characters, allowing the payload to pass through unchanged.”

image

Immediately after the ineffective sanitization, we reach the sink, the line where the SQL query is constructed. At this specific breakpoint, the malicious payload has not yet been appended to the $query variable.

image

Now i will step more one step to make sure that the payload will be injected into query.

image

Stepping over one more line (implode…), we confirm that the payload is concatenated directly into the SQL statement. The final query inspection reveals:

1
"WHERE tt.taxonomy='berocket_brand' AND t.term_id IN (19,20,21,17,18)  AND tt.count <> '' AND t.name IN ('1') OR SLEEP(5) --')"

Note: For debugging purposes, I used SLEEP(5) to clearly verify the injection point in the IDE, whereas SLEEP(0.1) was used in the actual POC to avoid timeouts.

Proof Of Concept

image

Using add page of wp-admin to create shortcode page, now i will inject payload into shortcode and publish it. Why use a time-based payload of just 0.1 seconds? The injection occurs within an OR condition, causing the database to execute SLEEP(0.1) for every single row scanned. With hundreds of terms in the database, these small delays accumulate into a measurable response time (several seconds) without triggering a server timeout.

image

The request took approximately 3.7s using the SLEEP(0.1) payload. To verify the consistency of the injection, I increased the delay to 0.3s

image

image

In the second request with SLEEP(0.3), the server response time increased to approximately 8s. This proportional increase confirms that the Time-Based SQL Injection is valid.

Remediation & Mitigation

1. For End Users (Administrators)
To address this vulnerability, users are strongly advised to update the Brands for WooCommerce plugin to the latest patched version immediately.

  • Fixed Version: 3.8.6.4 or higher.

Action: Go to the WordPress Dashboard > Plugins, check for updates, and install the latest version of “Brands for WooCommerce”.

Temporary Mitigation: If an immediate update is not possible, consider disabling the vulnerable shortcode usage or employing a Web Application Firewall (WAF) configured to block SQL injection attempts containing standard time-based payloads (e.g., SLEEP(), BENCHMARK()).

2. For Developers (Secure Coding Practices)
The root cause of this vulnerability was the reliance on trim(), which is insufficient for sanitizing SQL input as it does not remove special characters like single quotes (‘).

Recommended Fix:

  • Use Context-Specific Sanitization: As seen in the official patch, the vendor replaced trim() with sanitize_title_for_query(). This WordPress function ensures that the input is safe for use in query contexts by stripping out unsafe characters.
1
2
3
4
5
// Vulnerable Code
$brand_include = trim($brand_include);

// Secure Code (Vendor Patch)
$brand_include = sanitize_title_for_query($brand_include);
  • Use** Prepared Statements** (Best Practice): The most robust defense against SQL Injection in WordPress is using the $wpdb->prepare() method. This ensures that the database treats user input as data, not as executable code.
1
2
3
4
5
6
7
8
9
10
global $wpdb;
// Ensure array contains only integers or safe strings
$safe_ids = array_map('intval', $input_ids); 
$placeholders = implode(',', array_fill(0, count($safe_ids), '%d'));

// Prepare the query safely
$query = $wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}terms WHERE term_id IN ($placeholders)",
    $safe_ids
);