WooCommerce Custom Product Tabs Lite 1.9.1 Update: Potential SQLi and Deserialization Risks

### Key Information #### Changeset - **ID**: 3226839 - **Timestamp**: 01/22/2025 12:34:55 PM - **Author**: SkyVerge - **Message**: Committing 1.9.1 to trunk - **Location**: woocommerce-custom-product-tabs-lite/trunk #### File Changes - **Added**: 3 - **Modified**: 3 #### Key Code Changes - **File**: woocommerce-custom-product-tabs-lite.php ```php const VERSION = '1.9.1'; $tab_data = $this->productTabsMetaHandler->getMeta($product); $this->productTabsMetaHandler->deleteMeta($product); ``` - **readme.txt** - **Version**: 1.9.1 - **Tested up to**: 6.7.1 #### Potential Vulnerabilities - **Potential Unsafe Data Handling**: The calls `$this->productTabsMetaHandler->getMeta($product);` and `$this->productTabsMetaHandler->deleteMeta($product);` may involve unsafely handled data. Without appropriate input validation and data sanitization, there is a risk of SQL injection. - **Insufficiently Audited Functions**: The use of `maybe_unserialize` could lead to serialization-related attacks if input is not thoroughly audited before performing deserialization operations. #### Recommendations - Perform input validation and security filtering on all data processing related to `$product`. - Conduct a detailed audit of code snippets using sensitive functions such as `maybe_unserialize`.

Goal Reached Thanks to every supporter — we hit 100%!

WooCommerce Custom Product Tabs Lite 1.9.1 Update: Potential SQLi and Deserialization Risks