One of the changelog entries for the latest version of the WordPress plugin PDF Invoices & Packing Slips for WooCommerce is “Fix: potential SQL injection bug in Number Tools”. In looking into that, we found that this wasn’t a potential issue, but a vulnerability. Specifically, it is an authenticated SQL injection vulnerability exploitable by users with the Shop Manager role. It is also a cross-site request forgery (CSRF)/SQL injection vulnerability that could be exploited against Shop Managers and Administrators. We also found it hadn’t been fully fixed.

Looking at the changes made in the new version, we saw that in the file /includes/tables/class-wcpdf-number-store-list-table.php changes were being made related to user input being passed in to a SQL statement. That code is accessed when accessing this admin page from the plugin: /wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug&section=numbers . While the developer was already using a prepared SQL statement, they are, for some reason, passing user input directly in to it when they shouldn’t, which defeats the purpose of the protection offered by a prepared SQL statement. The new version still doesn’t resolve that, as that aspect of this wasn’t addressed. Instead, the developer passed the user input through sanitize_text_field(), which doesn’t stop SQL injection. That involves the variable $search: [Read more]