CVE-2022-0412

Name of the Vulnerable Software and Affected Versions TI WooCommerce Wishlist WordPress plugin versions prior to 1.40.1 TI WooCommerce Wishlist Pro WordPress plugin versions prior to 1.40.1

Description The issue allows unauthenticated attackers to perform SQL injection attacks due to the lack of sanitization and escaping of the item id parameter in SQL statements via the "wishlist/remove product" REST endpoint. This is a time-based SQL injection, and databases can be extracted using specific commands.

Recommendations For TI WooCommerce Wishlist WordPress plugin versions prior to 1.40.1, update to version 1.40.1 or later. For TI WooCommerce Wishlist Pro WordPress plugin versions prior to 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the "wishlist/remove product" REST endpoint until a patch is available.