WordPress Plugin Vulnerabilities

WooCommerce Payments < 5.9.1 - Shop Manager+ SQLi

Description

The plugin does not sanitize and escape the currency, currency_is and currency_is_not parameters before using them in a SQL statement, allowing Shop Manager roles and above to perform SQL injection attacks

Affects Plugins

Plugin icon
woocommerce-payments
Fixed in 5.9.1

References

CVE
CVE-2023-35915

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
923836d0-1a79-483d-9fe8-cf13af7468b3

Timeline

Publicly Published
2023-12-20 (about 2 years ago)
Added
2024-05-21 (about 1 year ago)
Last Updated
2024-05-21 (about 1 year ago)

Other

Published
Title
Published
2015-06-02
Title
LeagueManager <= 3.9.11 - Unauthenticated SQL Injection
Published
2020-07-18
Title
Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()
Published
2024-12-05
Title
KiviCare – Clinic & Patient Management System (EHR) < 3.6.5 - Unauthenticated SQL Injection
Published
2024-04-29
Title
rtMedia for WordPress, BuddyPress and bbPress < 4.6.19 - Subscriber+ SQL Injection
Published
2025-10-21
Title
Email Tracker < 5.3.16 - Authenticated (Admin+) SQL Injection