Premmerce Wholesale Pricing for WooCommerce SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress, affecting versions through 1.1.10. The vulnerability arises from inadequate escaping of user-supplied data in the 'ID' parameter, allowing authenticated attackers with subscriber-level access or higher to manipulate SQL queries. This exploitation could lead to unauthorized access to sensitive database information and the ability to alter price type display names, causing visual disruptions in the WordPress admin interface. Additionally, the 'price_type' parameter in the 'premmerce_delete_price_type' action is also susceptible to SQL injection.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with database queries. This could result in the extraction of confidential data or unauthorized modifications to the database, such as altering price type names, which could disrupt the WordPress admin user experience.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'admin-post.php' endpoint. The request must include the 'ID' parameter with a crafted SQL payload that exploits the insufficient escaping vulnerability. Alternatively, the 'price_type' parameter can be used to achieve the same SQL injection effect through the 'premmerce_delete_price_type' action.