{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/craft-commerce/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-32271"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft Commerce"],"_cs_severities":["critical"],"_cs_tags":["craft-commerce","sql-injection","rce","webshell"],"_cs_type":"advisory","_cs_vendors":["Craft"],"content_html":"\u003cp\u003eA critical vulnerability exists in Craft Commerce versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4. This vulnerability allows any authenticated control panel user to achieve remote code execution (RCE) on the target server. The attack leverages a SQL injection flaw in the TotalRevenue widget, where unsanitized widget settings are directly interpolated into a SQL expression. The default configuration of PHP's PDO MySQL, which enables \u003ccode\u003eCLIENT_MULTI_STATEMENTS\u003c/code\u003e, is exploited to inject additional SQL statements. This allows the attacker to write a maliciously serialized PHP object into the queue table. The yii2-queue PhpSerializer then unserializes this object without restrictions, leading to instantiation of an attacker-controlled object. Finally, a gadget chain within the GuzzleHttp\\Cookie\\FileCookieJar dependency is used to write a PHP webshell to the server's webroot. This complex chain of vulnerabilities culminates in arbitrary command execution as the PHP process user. Queue processing is triggered via GET \u003ccode\u003e/actions/queue/run\u003c/code\u003e, an endpoint that requires no authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Craft Commerce control panel as any user.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/admin/actions/dashboard/create-widget\u003c/code\u003e to create a TotalRevenue widget.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esettings[type]\u003c/code\u003e parameter in the POST request contains a stacked SQL injection payload. This payload leverages \u003ccode\u003eCLIENT_MULTI_STATEMENTS\u003c/code\u003e to inject an INSERT statement after the initial SELECT query. The INSERT statement writes a serialized PHP object into the queue table.\u003c/li\u003e\n\u003cli\u003eThe server returns an HTTP 500 error, indicating the INSERT statement was successfully committed.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers queue processing by sending a GET request to \u003ccode\u003e/actions/queue/run\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe queue consumer deserializes the injected PHP object from the queue table using \u003ccode\u003eunserialize()\u003c/code\u003e, without any allowed classes restrictions.\u003c/li\u003e\n\u003cli\u003eThis deserialization triggers the \u003ccode\u003e__destruct()\u003c/code\u003e method of the \u003ccode\u003eGuzzleHttp\\Cookie\\FileCookieJar\u003c/code\u003e class, which contains an unguarded call to \u003ccode\u003efile_put_contents()\u003c/code\u003e. This writes a PHP webshell (e.g., \u003ccode\u003epoc_rce.php\u003c/code\u003e) to the webroot.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the webshell via a GET request (e.g., \u003ccode\u003eGET /poc_rce.php?c=id\u003c/code\u003e), executing arbitrary commands as the PHP process user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the Craft Commerce server as the PHP process user. This can lead to complete system compromise, including data theft, modification, or destruction. Given the nature of e-commerce platforms, this could result in significant financial loss, reputational damage, and legal repercussions. The fact that any authenticated control panel user can trigger this vulnerability significantly widens the attack surface. This vulnerability impacts all versions of Craft Commerce between 4.0.0 and 4.10.2 and between 5.0.0 and 5.5.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Craft Commerce to a patched version (4.10.3+ or 5.5.5+) to remediate CVE-2026-32271.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Craft Commerce Webshell Creation via FileCookieJar\u0026quot; to detect webshell creation attempts via \u003ccode\u003efile_put_contents\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/actions/queue/run\u003c/code\u003e to detect unauthorized queue processing, referencing the attack chain description.\u003c/li\u003e\n\u003cli\u003eConsider disabling \u003ccode\u003eCLIENT_MULTI_STATEMENTS\u003c/code\u003e in your PHP PDO configuration if possible, but be aware of potential compatibility issues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-craft-commerce-rce/","summary":"A SQL injection vulnerability in the Craft Commerce TotalRevenue widget can lead to remote code execution through a chain of vulnerabilities including unsanitized widget settings in SQL expressions, enabled PDO Multi-Statement Queries, unrestricted unserialize(), and a FileCookieJar gadget chain, allowing attackers to write a PHP webshell to the server's webroot and achieve arbitrary command execution as the PHP process user.","title":"Craft Commerce SQL Injection Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-craft-commerce-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-32272"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft Commerce"],"_cs_severities":["high"],"_cs_tags":["sqli","craft-commerce","web-application"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA blind SQL injection vulnerability has been identified in Craft Commerce, specifically affecting the \u003ccode\u003eProductQuery::hasVariant\u003c/code\u003e and \u003ccode\u003eVariantQuery::hasProduct\u003c/code\u003e properties. This vulnerability bypasses a blocklist implemented in \u003ccode\u003eElementIndexesController\u003c/code\u003e (GHSA-2453-mppf-46cj) intended to prevent SQL injection attacks. The bypass occurs because the blocklist only filters top-level Yii2 Query properties, while \u003ccode\u003ehasVariant\u003c/code\u003e and \u003ccode\u003ehasProduct\u003c/code\u003e pass through without sanitization. These properties then call \u003ccode\u003eCraft::configure()\u003c/code\u003e on a subquery, reintroducing the SQL injection vulnerability via a crafted \u003ccode\u003ecriteria[hasVariant][where]=INJECTED_SQL\u003c/code\u003e parameter. This flaw allows an authenticated user of the control panel to perform boolean-based blind SQL injection and extract sensitive information from the database. The vulnerability affects composer/craftcms/commerce versions 5.0.0 to before 5.6.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Craft Commerce control panel.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003eElementIndexesController\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ecriteria[hasVariant][where]\u003c/code\u003e parameter containing the SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eElementIndexesController\u003c/code\u003e processes the request and calls the \u003ccode\u003ehasVariant\u003c/code\u003e or \u003ccode\u003ehasProduct\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eCraft::configure()\u003c/code\u003e is invoked on a subquery without proper sanitization, injecting the malicious SQL.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL query, performing boolean-based comparisons.\u003c/li\u003e\n\u003cli\u003eAttacker infers database content based on response times or boolean results, exfiltrating data bit by bit.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive information like security keys to forge admin sessions, leading to full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers full read access to the Craft Commerce database. This includes sensitive data such as user credentials, API keys, and financial information. By extracting the security key, an attacker can forge administrative sessions, leading to complete control over the compromised Craft Commerce instance. This could lead to data breaches, financial loss, and reputational damage. While the number of affected installations is unknown, any Craft Commerce installation with the Commerce plugin installed and products with variants created is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ecomposer/craftcms/commerce\u003c/code\u003e to version 5.6.0 or later to patch CVE-2026-32272.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts targeting the \u003ccode\u003eElementIndexesController\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing \u003ccode\u003ecriteria[hasVariant][where]\u003c/code\u003e or \u003ccode\u003ecriteria[hasProduct][where]\u003c/code\u003e parameters with potentially malicious SQL syntax.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out requests containing SQL injection payloads in the \u003ccode\u003ecriteria[hasVariant][where]\u003c/code\u003e and \u003ccode\u003ecriteria[hasProduct][where]\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-craft-commerce-sqli/","summary":"A blind SQL injection vulnerability exists in Craft Commerce's `ProductQuery::hasVariant` and `VariantQuery::hasProduct` properties, allowing authenticated control panel users to extract arbitrary database contents and potentially escalate privileges.","title":"Craft Commerce Blind SQL Injection via hasVariant/hasProduct Properties","url":"https://feed.craftedsignal.io/briefs/2024-01-03-craft-commerce-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Craft-Commerce","version":"https://jsonfeed.org/version/1.1"}