WooCommerce Customers Manager 29.4: Watch Out for SQL Shenanigans!

WooCommerce Customers Manager users, brace yourselves! A post-authenticated SQL injection vulnerability is lurking in version 29.4, ready to cause mischief. If you’re feeling brave, try injecting SQL commands into transaction amount parameters and watch as chaos ensues. But seriously, update your plugin faster than a caffeine-fueled squirrel! CVE-2024-0399, we’re looking at you.

1P
Published: April 16, 2025 9:55 amAdded: April 16, 2025 at 3:25 amAssembled by: The Editor
Pro Dashboard

Hot Take:

It’s like leaving the vault door open after closing time! WooCommerce Customers Manager’s latest act? Giving subscribers a magical key to the SQL kingdom! Time to grab the popcorn, because even your database might be having a sleepless night.

Key Points:

  • WooCommerce Customers Manager version 29.4 is vulnerable to SQL injection.
  • The issue arises from improper sanitization of transaction amount parameters.
  • Exploitable by users with Subscriber+ role through the admin AJAX endpoint.
  • The vulnerability is time-based, with server responses delayed by injected commands.
  • Users are urged to update the plugin once a patch is available and restrict endpoint access.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?