Craft Commerce SQL Injection Leading to Remote Code Execution
A SQL injection vulnerability in the Craft Commerce TotalRevenue widget can lead to remote code execution through a chain of vulnerabilities including unsanitized widget settings in SQL expressions, enabled PDO Multi-Statement Queries, unrestricted unserialize(), and a FileCookieJar gadget chain, allowing attackers to write a PHP webshell to the server's webroot and achieve arbitrary command execution as the PHP process user.
A critical vulnerability exists in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. This vulnerability allows any authenticated control panel user to achieve remote code execution (RCE) on the target server. The attack leverages a SQL injection flaw in the TotalRevenue widget, where unsanitized widget settings are directly interpolated into a SQL expression. The default configuration of PHP's PDO MySQL, which enables CLIENT_MULTI_STATEMENTS, is exploited to inject additional SQL statements. This allows the attacker to write a maliciously serialized PHP object into the queue table. The yii2-queue PhpSerializer then unserializes this object without restrictions, leading to instantiation of an attacker-controlled object. Finally, a gadget chain within the GuzzleHttp\Cookie\FileCookieJar dependency is used to write a PHP webshell to the server's webroot. This complex chain of vulnerabilities culminates in arbitrary command execution as the PHP process user. Queue processing is triggered via GET /actions/queue/run, an endpoint that requires no authentication.
Attack Chain
- An attacker authenticates to the Craft Commerce control panel as any user.
- The attacker sends a POST request to
/admin/actions/dashboard/create-widgetto create a TotalRevenue widget. - The
settings[type]parameter in the POST request contains a stacked SQL injection payload. This payload leveragesCLIENT_MULTI_STATEMENTSto inject an INSERT statement after the initial SELECT query. The INSERT statement writes a serialized PHP object into the queue table. - The server returns an HTTP 500 error, indicating the INSERT statement was successfully committed.
- The attacker triggers queue processing by sending a GET request to
/actions/queue/run. - The queue consumer deserializes the injected PHP object from the queue table using
unserialize(), without any allowed classes restrictions. - This deserialization triggers the
__destruct()method of theGuzzleHttp\Cookie\FileCookieJarclass, which contains an unguarded call tofile_put_contents(). This writes a PHP webshell (e.g.,poc_rce.php) to the webroot. - The attacker accesses the webshell via a GET request (e.g.,
GET /poc_rce.php?c=id), executing arbitrary commands as the PHP process user.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the Craft Commerce server as the PHP process user. This can lead to complete system compromise, including data theft, modification, or destruction. Given the nature of e-commerce platforms, this could result in significant financial loss, reputational damage, and legal repercussions. The fact that any authenticated control panel user can trigger this vulnerability significantly widens the attack surface. This vulnerability impacts all versions of Craft Commerce between 4.0.0 and 4.10.2 and between 5.0.0 and 5.5.4.
Recommendation
- Immediately upgrade Craft Commerce to a patched version (4.10.3+ or 5.5.5+) to remediate CVE-2026-32271.
- Deploy the Sigma rule "Craft Commerce Webshell Creation via FileCookieJar" to detect webshell creation attempts via
file_put_contents. - Monitor web server logs for requests to
/actions/queue/runto detect unauthorized queue processing, referencing the attack chain description. - Consider disabling
CLIENT_MULTI_STATEMENTSin your PHP PDO configuration if possible, but be aware of potential compatibility issues.
Detection coverage 2
Craft Commerce Webshell Creation via FileCookieJar
criticalDetects the creation of a PHP webshell in the webroot via file_put_contents, potentially exploited through the FileCookieJar gadget chain in Craft Commerce RCE.
Craft Commerce Unauthorized Queue Run
mediumDetects GET requests to /actions/queue/run without prior authentication, indicating potential exploitation attempts.
Detection queries are available on the platform. Get full rules →