Just another day, and another injection vulnerability (please patch): https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/
If only escaping wasn't being used, so user values did not get included in certain strings :-) diff -r woocommerce.5.5.0/includes/data-stores/class-wc-webhook-data-store.php woocommerce.5.5.1/includes/data-stores/class-wc-webhook-data-store.php 280c280 < $search = ! empty( $args['search'] ) ? "AND `name` LIKE '%" . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . "%'" : ''; --- > $search = ! empty( $args['search'] ) ? $wpdb->prepare( "AND `name` LIKE %s", '%' . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . '%' ) : ''; The vote for the is_literal RFC ends on Monday the 19th of July, 7:30pm UK time and 6:30pm UTC, and needs your support. https://wiki.php.net/rfc/is_literal