Craft Commerce Blind SQL Injection via hasVariant/hasProduct Properties
A blind SQL injection vulnerability exists in Craft Commerce's `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties, allowing authenticated control panel users to extract arbitrary database contents and potentially escalate privileges.
A blind SQL injection vulnerability has been identified in Craft Commerce, specifically affecting the ProductQuery::hasVariant and VariantQuery::hasProduct properties. This vulnerability bypasses a blocklist implemented in ElementIndexesController (GHSA-2453-mppf-46cj) intended to prevent SQL injection attacks. The bypass occurs because the blocklist only filters top-level Yii2 Query properties, while hasVariant and hasProduct pass through without sanitization. These properties then call Craft::configure() on a subquery, reintroducing the SQL injection vulnerability via a crafted criteria[hasVariant][where]=INJECTED_SQL parameter. This flaw allows an authenticated user of the control panel to perform boolean-based blind SQL injection and extract sensitive information from the database. The vulnerability affects composer/craftcms/commerce versions 5.0.0 to before 5.6.0.
Attack Chain
- Attacker authenticates to the Craft Commerce control panel.
- Attacker crafts a malicious HTTP request targeting the
ElementIndexesController. - The crafted request includes a
criteria[hasVariant][where]parameter containing the SQL injection payload. - The
ElementIndexesControllerprocesses the request and calls thehasVariantorhasProductproperty. Craft::configure()is invoked on a subquery without proper sanitization, injecting the malicious SQL.- The database executes the injected SQL query, performing boolean-based comparisons.
- Attacker infers database content based on response times or boolean results, exfiltrating data bit by bit.
- Attacker extracts sensitive information like security keys to forge admin sessions, leading to full control.
Impact
Successful exploitation of this vulnerability grants attackers full read access to the Craft Commerce database. This includes sensitive data such as user credentials, API keys, and financial information. By extracting the security key, an attacker can forge administrative sessions, leading to complete control over the compromised Craft Commerce instance. This could lead to data breaches, financial loss, and reputational damage. While the number of affected installations is unknown, any Craft Commerce installation with the Commerce plugin installed and products with variants created is potentially vulnerable.
Recommendation
- Upgrade
composer/craftcms/commerceto version 5.6.0 or later to patch CVE-2026-32272. - Deploy the Sigma rules provided below to detect potential exploitation attempts targeting the
ElementIndexesController. - Monitor web server logs for suspicious requests containing
criteria[hasVariant][where]orcriteria[hasProduct][where]parameters with potentially malicious SQL syntax. - Implement web application firewall (WAF) rules to filter out requests containing SQL injection payloads in the
criteria[hasVariant][where]andcriteria[hasProduct][where]parameters.
Detection coverage 3
Detect Craft Commerce SQL Injection Attempt via hasVariant
highDetects potential SQL injection attempts in Craft Commerce via the hasVariant parameter in the ElementIndexesController.
Detect Craft Commerce SQL Injection Attempt via hasProduct
highDetects potential SQL injection attempts in Craft Commerce via the hasProduct parameter in the ElementIndexesController.
Detect SQL Injection Keywords in URI Query
mediumDetects generic SQL injection keywords in URI queries, potentially related to Craft Commerce exploitation attempts.
Detection queries are available on the platform. Get full rules →