========================================================== CVE-2026-54849 - Premmerce Wishlist for WooCommerce SQLi ROOT=/data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle date: 2026-07-05T13:35:25Z ========================================================== [i] project_cache_context.json present: { "project_id": null, "requested_cache_mode": "auto", "resolved_cache_mode": "cold", "cache_hit": false, "project_cache_entry_id": null, "prepared": false, "project_cache_dir": null, "repo_mirror_dir": null, "backend_support": "unassigned", "fallback_reason": null, "allowed_reuse_classes": [ "infrastructure" ], "reuse_safety_policy": "Cached repos, package downloads, and toolchains are reusable. Cached build outputs are reusable only when their source path, commit/ref, dependency lockfiles, compiler/toolchain, and build flags match the current script. For CMake, if CMakeCache.txt CMAKE_HOME_DIRECTORY differs from the source directory, delete/recreate that build directory before building.", "proof_policy": "Fresh proof is required for the current run. Historical proof artifacts may only be used as explicit reference material in warm_proof_carry mode.", "proof_carry": null }[i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/premmerce-1.1.11.zip (930475 bytes) [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/premmerce-1.1.12.zip (927132 bytes) [i] artifact ok: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/artifacts/woocommerce.8.9.3.zip (21029990 bytes) [i] pulling docker images (cached if present) [i] tearing down any previous stack [i] starting MariaDB [i] starting WordPress (wordpress:6.7.2-php8.2-apache) [i] waiting for MariaDB to accept connections [i] MariaDB ready after 10s [i] waiting for WordPress apache to respond [i] WordPress apache up (http=302) after 1s [i] installing wp-cli inside WordPress container [i] running WordPress core install (admin=sqliadmin, url=http://premmerce-wp) Success: WordPress installed successfully. [i] installing + activating WooCommerce 8.9.3 (from cached zip) Activating 'woocommerce'... Plugin 'woocommerce' activated. Success: Installed 1 of 1 plugins. [i] enabling pretty permalinks Success: Rewrite rules flushed. Success: Rewrite rules flushed. [i] installing Premmerce Wishlist 1.1.11 (VULNERABLE) Success: Plugin already deleted. Plugin 'premmerce-woocommerce-wishlist' activated. Success: Installed 1 of 1 plugins. name version premmerce-woocommerce-wishlist 1.1.11 woocommerce 8.9.3 [*] VULNERABLE attempts [vuln-sleep-1] SLEEP payload -> http=200 time=5.197395s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/vuln_sleep_1.body) [vuln-sleep-2] SLEEP payload -> http=200 time=6.098308s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/vuln_sleep_2.body) [vuln-union-1] UNION payload -> http=200 time=0.144972s leak=1 (occurrences of 'sqliadmin') (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/vuln_union_1.body) [vuln-union-2] UNION payload -> http=200 time=0.078621s leak=1 (occurrences of 'sqliadmin') (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/vuln_union_2.body) [i] installing Premmerce Wishlist 1.1.12 (FIXED) Plugin 'premmerce-woocommerce-wishlist' deactivated. Success: Deactivated 1 of 1 plugins. Deleted 'premmerce-woocommerce-wishlist' plugin. Success: Deleted 1 of 1 plugins. Plugin 'premmerce-woocommerce-wishlist' activated. Success: Installed 1 of 1 plugins. name version premmerce-woocommerce-wishlist 1.1.12 woocommerce 8.9.3 [*] FIXED attempts (negative control) [fixed-sleep-1] SLEEP payload -> http=200 time=0.121983s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/fixed_sleep_1.body) [fixed-sleep-2] SLEEP payload -> http=200 time=0.076013s (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/fixed_sleep_2.body) [fixed-union-1] UNION payload -> http=200 time=0.076864s leak=0 (occurrences of 'sqliadmin') (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/fixed_union_1.body) [fixed-union-2] UNION payload -> http=200 time=0.072707s leak=0 (occurrences of 'sqliadmin') (body: /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/artifacts/fixed_union_2.body) ========================================================== RESULTS vulnerable SLEEP times: 5.197395 6.098308 vulnerable UNION leaks: 1 1 fixed SLEEP times: 0.121983 0.076013 fixed UNION leaks: 0 0 ========================================================== vuln_sleep_ok=true vuln_union_ok=true fixed_sleep_ok=true fixed_union_ok=true [i] wrote /data/pruva/runs/d6a2ae4c-d5a4-4728-a923-2686f819f867/bundle/repro/runtime_manifest.json [i] runtime_manifest.json: { "entrypoint_kind": "api_remote", "entrypoint_detail": "Unauthenticated HTTP GET to WordPress REST endpoint /?rest_route=/premmerce/wishlist/add/popup with crafted premmerce_wishlist cookie (sent from a separate Docker-network client container to the WordPress service by container name).", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "mariadb:11.4", "wordpress:6.7.2-php8.2-apache", "woocommerce 8.9.3", "premmerce-woocommerce-wishlist" ], "proof_artifacts": [ "repro/artifacts/fixed_sleep_1.body", "repro/artifacts/fixed_sleep_2.body", "repro/artifacts/fixed_union_1.body", "repro/artifacts/fixed_union_2.body", "repro/artifacts/vuln_sleep_1.body", "repro/artifacts/vuln_sleep_2.body", "repro/artifacts/vuln_union_1.body", "repro/artifacts/vuln_union_2.body" ], "vulnerable_sleep_seconds": [ 5.197395, 6.098308 ], "vulnerable_union_leak_counts": [ 1, 1 ], "fixed_sleep_seconds": [ 0.121983, 0.076013 ], "fixed_union_leak_counts": [ 0, 0 ], "confirmation_status": "confirmed", "notes": "Unauthenticated SQL injection confirmed on Premmerce Wishlist 1.1.11 via premmerce_wishlist cookie; fixed in 1.1.12." } [+] CONFIRMED: CVE-2026-54849 unauthenticated SQL injection reproduced.