CVE-2024-0786

Name of the Vulnerable Software and Affected Versions The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress versions up to, and including, 6.9.1

Description The issue is related to a time-based SQL Injection vulnerability. It affects the ee syncProductCategory function, utilizing parameters such as conditionData, valueData, productArray, exclude, and include. This vulnerability is caused by insufficient escaping of user-supplied parameters and a lack of preparation in the existing SQL query. As a result, authenticated attackers with subscriber access or higher can append additional SQL queries to extract sensitive information from the database.

Recommendations For versions up to, and including, 6.9.1, consider disabling the ee syncProductCategory function until a patch is available to prevent exploitation. Restrict access to the parameters conditionData, valueData, productArray, exclude, and include to minimize the risk of SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.