Conversios Google Analytics 4 WooCommerce SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Conversios - Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress. This vulnerability exists in all versions through 7.0.7 and allows authenticated attackers with subscriber-level access and above to exploit the 'valueData' parameter. The issue arises from inadequate escaping of user-supplied data and insufficient preparation of the SQL query, enabling attackers to append malicious SQL queries to existing ones and extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. In this case, it could lead to unauthorized data exposure.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the WordPress site with the 'valueData' parameter. The lack of proper input sanitization will allow the injection of malicious SQL code, which could be executed by the database, potentially leading to unauthorized data access.

Remediation

Users are advised to update the plugin to version 7.0.8 or a newer patched version.