A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities:
SQL Injection -- The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create any widget type without permission checks.
PDO Multi-Statement Queries -- PHP PDO MySQL enables CLIENT_MULTI_STATEMENTS by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table.
Unrestricted unserialize() -- The yii2-queue PhpSerializer calls unserialize() with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object.
Gadget Chain (FileCookieJar) -- GuzzleHttp\Cookie\FileCookieJar (a standard Guzzle dependency) has an unguarded __destruct() method that calls file_put_contents(). The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive json_encode() because Guzzle uses options=0 (no JSON_HEX_TAG).
The complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET /actions/queue/run, an endpoint that requires no authentication ($allowAnonymous = ['run']).
/admin/actions/dashboard/create-widget with stacked SQL injection:settings[type] contains the stacked INSERT with the serialized gadget chainGET /actions/queue/runFileCookieJar::__destruct() writes webshell to webrootGET /poc_rce.php?c=iduid=1000(home) gid=1000(home) groups=1000(home)4.10.35.5.5Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N