One of the changelog entries for the latest version of the WordPress plugin PDF Invoices & Packing Slips for WooCommerce is “Fix: potential SQL injection bug in Number Tools”. In looking into that, we found that this wasn’t a potential issue, but a vulnerability. Specifically, it is an authenticated SQL injection vulnerability exploitable by users with the Shop Manager role. It is also a cross-site request forgery (CSRF)/SQL injection vulnerability that could be exploited against Shop Managers and Administrators. We also found it hadn’t been fully fixed.

Looking at the changes made in the new version, we saw that in the file /includes/tables/class-wcpdf-number-store-list-table.php changes were being made related to user input being passed in to a SQL statement. That code is accessed when accessing this admin page from the plugin: /wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug&section=numbers . While the developer was already using a prepared SQL statement, they are, for some reason, passing user input directly in to it when they shouldn’t, which defeats the purpose of the protection offered by a prepared SQL statement. The new version still doesn’t resolve that, as that aspect of this wasn’t addressed. Instead, the developer passed the user input through sanitize_text_field(), which doesn’t stop SQL injection. That involves the variable $search:

214

$results = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $table_name WHERE `id` LIKE '$search' OR `order_id` LIKE '$search' ORDER BY $orderby $order LIMIT %d OFFSET %d", $this->per_page, $offset ) );

197
198
199
200
201

$request                        = stripslashes_deep( $_GET );
$results                        = array();
$paged                          = $this->get_paged( $request );
$offset                         = $this->per_page * ( $paged - 1 );
$search                         = $this->get_search( $request );

182
183

public function get_search( $request ) {
	return ! empty( $request['s'] ) ? sanitize_text_field( $request['s'] ) : false;

That function doesn’t remove things that would allow SQL injection to occur.

We have reached out to the developer about that and offered to help fix it.

Proof of Concept

With the following proof of concept a SQL syntax error will be shown with the WP_DEBUG setting set to true in the WordPress configuration file, when logged in as Shop Manager.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug&section=numbers&s=0%27+AND+SLEEP%2810%29