PPOM Product Addons and Custom Fields for WooCommerce SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the PPOM - Product Addons & Custom Fields for WooCommerce plugin for WordPress, affecting all versions through 33.0.15. The vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of SQL queries in the PPOM_Meta::get_fields_by_id() function. This flaw allows unauthenticated attackers to inject additional SQL queries into existing ones, potentially leading to the extraction of sensitive information from the database. Exploitation is possible only when the 'Enable Legacy Price Calculations' setting is activated.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate SQL queries to extract sensitive data from the database.

Reproduction

To reproduce this vulnerability, first ensure that the PPOM - Product Addons & Custom Fields for WooCommerce plugin is installed and activated on a WordPress site. Then, navigate to the plugin's settings and enable the 'Legacy Price Calculations' option. Once this setting is active, the vulnerability can be exploited by sending a request to the 'get_fields_by_id' function with a crafted 'ppom_id' parameter that includes malicious SQL code. The injected SQL will be executed, allowing access to the database information.

Remediation

Users are advised to update the PPOM - Product Addons & Custom Fields for WooCommerce plugin to version 33.0.16 or later, where this vulnerability has been patched.