作者： Hong Kong security expert (practical advisory for site owners and developers)

This advisory explains an unauthenticated SQL injection affecting Product Rearrange for WooCommerce (versions 1.2.2 and earlier). Read in full and act immediately if you operate e-commerce sites in Hong Kong or elsewhere. The vulnerability permits remote attackers to execute SQL queries against your site database without logging in — risk includes data theft, manipulation, and full site compromise.

执行摘要（发生了什么以及您为什么应该关心）

A SQL injection (CVE-2026-31920) was disclosed on 20 March 2026 affecting Product Rearrange for WooCommerce up to 1.2.2. Exploitation requires no authentication and can expose or modify database contents, including user records, orders, and credentials. CVSS 9.3 indicates very high severity; immediate action is required.

潜在影响包括：

• Theft of customer data (names, emails, addresses, order history)
• Exposure of admin credentials stored in the database
• Product and pricing manipulation
• Site defacement or installation of persistent backdoors
• Lateral movement to other hosted assets

Technical overview (safe, non-exploitative explanation)

SQL Injection (SQLi) occurs when untrusted input is incorporated into SQL statements without proper sanitisation or parameter binding. Common WordPress causes include:

• Concatenating $_GET/$_POST values directly into SQL
• Not using $wpdb->prepare() for dynamic queries
• Allowing unvalidated input to control identifiers or clauses (ORDER BY, WHERE, LIMIT)

In this case:

• The plugin exposes an endpoint (likely AJAX or a public action) that accepts input from unauthenticated requests.
• That input is used to build SQL without safe parameterisation, enabling injection.

Who should act now

• Site owners using Product Rearrange for WooCommerce (any version ≤ 1.2.2).
• Agencies and managed-hosting teams with clients running the plugin.
• Hosts and security teams responsible for e-commerce sites.

Immediate actions (apply now — prioritized)

1. 确定受影响的网站
   • Search your installs for the plugin directory name: products-rearrange-woocommerce or check plugin slug “Product Rearrange for WooCommerce”.
   • Verify versions in WordPress Admin → Plugins, or inspect wp-content/plugins/products-rearrange-woocommerce/readme.txt 或 product-rearrange.php.
2. Temporarily deactivate or remove the plugin
   • If the plugin is not essential, deactivate it immediately from the admin console and remove it.
   • If dashboard access is not available, rename the plugin folder via FTP/SSH to force deactivation.
3. Block or rate-limit access to plugin endpoints
   • Restrict access to AJAX endpoints (admin-ajax.php) or custom action URLs until patched.
   • If you know the plugin action parameter (for example action=products_rearrange), block requests containing that parameter from public access.
4. 通过防火墙规则应用虚拟补丁
   • Use your web application firewall, WAF appliance, or webserver config to block SQLi patterns and requests that match the plugin endpoints.
   • Deploy targeted rules for the plugin action while you prepare a permanent fix.
5. Harden database and WordPress
   • Limit the database user privileges used by WordPress (avoid global GRANTs).
   • Ensure webserver cannot write to WordPress files unless necessary.
6. Backups & forensics
   • Create an offline snapshot of database and files before remediation changes.
   • Increase log retention for webserver and database logs to capture potential attack activity.
7. 扫描和审计
   • Perform malware scans and inspect wp_users, plugin tables, and wp_options 可疑更改。.

Quick mitigation recipes (safe to implement)

Always take backups before changing server configuration. If unsure, involve a system administrator.

A. Block plugin-specific AJAX action via web server (Nginx example)

location /wp-admin/admin-ajax.php {
    if ($arg_action = "products_rearrange") {
        return 403;
    }
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}

B. Deny requests that match common SQLi payload patterns (mod_security-like)

SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "@rx (union.+select|select.+from|sleep\(|benchmark\(|--|;|#)" \
    "id:1001001,phase:2,deny,log,msg:'Generic SQLi blocked'"

Tune these rules to reduce false positives (product SKUs or legitimate queries may match broad patterns).

C. Restrict admin-ajax.php by IP

If reorder functionality is only used from known IPs, temporarily allow admin-ajax.php only from those IPs.

D. Deactivate plugin via WordPress admin

Plugins → locate Product Rearrange for WooCommerce → Deactivate → Delete (if safe).

E. Emergency: rename plugin folder

Rename wp-content/plugins/products-rearrange-woocommerce to append -禁用 — WordPress will deactivate it. Useful when admin is inaccessible.

Layered protection approach (what to deploy while patching)

Use a layered defence while a permanent code fix is prepared and deployed:

• Targeted request blocking (by endpoint or action) to prevent exploit attempts.
• Generic SQLi detection patterns (tuned to avoid breaking legitimate traffic).
• Logging and alerting on blocked requests so you can monitor exploit attempts and respond.
• Rapid incident response plan to contain and recover if compromise is detected.

Detection: indicators and logs to watch

• 请求到 admin-ajax.php or custom plugin endpoints with unexpected parameters or long payloads.
• Requests containing encoded characters (%27, %22, %3B) together with SQL keywords.
• Spikes of POST/GET requests from specific IPs to admin-ajax.php.
• Unusual database queries or sudden increases in query volume in slow/general logs.
• 意外的管理员用户 wp_users or strange modifications in wp_options.
• 新的 PHP 文件在 wp-content/uploads or modified core/plugin/theme files.

Developer guidance: how to fix the root cause (safe code recommendations)

1. Validate and sanitise all external input
   • Use strict validation for numeric values (intval, filter_var with FILTER_VALIDATE_INT).
   • For enumerations (sort direction, column names), use strict whitelists.
2. Use $wpdb->prepare for database queries

   Never interpolate raw input into SQL. Example vulnerable pattern (do not use):

   // Vulnerable: direct concatenation (do not use)
   $order = $_GET['order'];
   $sql = "SELECT * FROM {$wpdb->prefix}posts ORDER BY {$order}";
   $results = $wpdb->get_results($sql);

   Secure approach (whitelist identifiers, prepare values):

   // Secure: whitelist and prepare
   $allowed_orders = array('menu_order', 'post_date', 'post_title');
   $order = isset($_GET['order']) && in_array($_GET['order'], $allowed_orders, true) ? $_GET['order'] : 'menu_order';
   
   // Note: $wpdb->prepare cannot bind identifiers, so whitelist them
   $sql = $wpdb->prepare(
       "SELECT * FROM {$wpdb->posts} WHERE post_type = %s ORDER BY $order LIMIT %d",
       'product',
       intval($_GET['limit'] ?? 20)
   );
   $results = $wpdb->get_results($sql);

   When query parts cannot be parameterised (table or column names), enforce strict whitelists.

3. Enforce capability and nonce checks

   Admin operations must verify capabilities (e.g. current_user_can('manage_woocommerce')) and validate nonces (check_admin_referer()) for authenticated actions. For any unauthenticated endpoints, do not allow sensitive DB operations.

4. Avoid exposing powerful SQL behaviours publicly

   Reorder or administrative features should be available only to authenticated users with appropriate capabilities.

5. Use proper AJAX handlers

   使用 wp_ajax_ for authenticated AJAX and restrict wp_ajax_nopriv_ to safe, read-only operations.

6. Testing: unit tests and fuzzing

   Add tests that simulate malicious input and verify the plugin rejects them. Run fuzzing in staging or CI pipelines.

7. Sanitise output

   Escape returned values with esc_html, esc_attr and return JSON via wp_send_json() 或 wp_send_json_error().

Suggested secure coding checklist (for plugin authors)

• All user inputs validated and sanitised
• Use $wpdb->prepare for parameterised queries whenever possible
• Whitelists for identifiers (columns/tables)
• Strong capability checks for privileged actions
• Nonces enforced for form and AJAX submissions
• Minimal database user privileges
• Unit tests for SQLi and unexpected inputs
• Security review before release

事件响应：如果您怀疑被攻破

1. 隔离 — put the site into maintenance mode or take it offline if compromise is suspected.
2. 备份 — export DB and files for forensic analysis; keep immutable copies.
3. 保留日志 — collect webserver, WAF, and DB logs before any rotation.
4. 扫描和清理 — combine automated scanners with manual review; look for PHP files in uploads, modified files, and rogue scheduled tasks.
5. 更换凭据 — reset WordPress admin passwords, DB credentials, API keys, and third-party secrets.
6. 恢复 — if needed, restore from a known-good backup; test on staging first.
7. Root cause and patch — ensure the plugin is updated or patched before returning the site to production.
8. 通知。 — if customer data may have been exposed, follow local data breach notification rules (Hong Kong PDPO or other applicable regulations) and inform affected users as required.

Testing & validation after mitigation

• Confirm the plugin has been removed or updated.
• Verify WAF or webserver rules are active and that logs show blocks for malicious attempts.
• Run a full malware and integrity scan; perform a DB consistency check.
• Validate checkout and payment flows in staging before resuming business traffic.

Longer-term prevention: environment & policy recommendations

• Keep plugins, themes, and WordPress core updated under a scheduled maintenance process.
• Use staging for plugin updates and tests before production rollout.
• Enforce least privilege for DB users and file permissions.
• Monitor logs and set alerts for spikes to admin-ajax or other plugin endpoints.
• Maintain frequent backups and run disaster recovery tests.
• Require strong passwords and multi-factor authentication for all admin accounts.
• Perform periodic code audits on widely used third-party plugins.

Example WAF rules (safe, high-level patterns)

Below are illustrative examples you can adapt. Test thoroughly to avoid false positives.

SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "@rx (union.+select|select.+from|sleep\(|benchmark\(|--\s|;--|\bconcat\(|\bcast\()"
    "id:1002001,phase:2,deny,log,msg:'Suspicious SQLi pattern blocked'"

if ($request_method = "GET") {
    if ($query_string ~* "(union|select).*(--|;|#)") {
        return 403;
    }
}

Tune rules using your WAF logs to reduce false positives; e-commerce sites sometimes generate unusual query strings.

Why site owners must act fast

Public disclosure of unauthenticated SQLi often triggers automated mass-scanning and exploitation. The unauthenticated nature and high CVSS mean the attack window is short — immediate containment and monitoring substantially reduce risk.

Final checklist: what to do now (quick reference)

1. 搜索 products-rearrange-woocommerce across your estate.
2. If present, deactivate the plugin or disable its public endpoints immediately.
3. If you cannot deactivate, restrict access to plugin endpoints (IP allowlist or webserver/WAF rules).
4. Apply tuned rules to block SQLi attempts and requests targeting the plugin.
5. Back up database and files now; store offline.
6. Scan for compromise and signs of data exfiltration or new admin users.
7. If you are a plugin author, implement the developer guidance above and release a fixed plugin that uses parameterised queries and whitelists.
8. Engage a qualified security professional if you need hands-on containment, forensic analysis, or recovery assistance.

Closing notes (Hong Kong security expert)

Unauthenticated SQL injection is among the most dangerous vulnerabilities for online stores. In Hong Kong’s busy e-commerce environment, rapid containment matters — mitigate exposure first, then apply a permanent secure-code patch. Prioritise verifying backups, preserving logs, and remediating at scale if you manage multiple sites. If you operate client sites, notify them and begin containment immediately.

Stay vigilant: validate every external input, use parameterised queries, and enforce least privilege. If you require expert assistance, consult a reputable, independent security consultant with WordPress and incident response experience.