From b74f4f5a3c545d391442cd2492ac514e80ca0833 Mon Sep 17 00:00:00 2001
From: vuckro <maribel_waters@howtocore.com>
Date: Wed, 10 Jun 2026 11:49:50 +0200
Subject: [PATCH] fix(security): allow-list the model identifier in
 Limitations::remove_limitations

remove_limitations() interpolated its $slug argument straight into the meta
table name and the id column name of a DELETE query. $slug originates from
the request ('model') in handle_confirm_limitations_reset(), and wu_request()
does not make a value identifier-safe, so a crafted model value could inject
SQL through the table/column identifier.

Validate $slug against a fixed allow-list of the models that actually carry
limitations (membership, product, customer, site) before it is used to build
any SQL.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 inc/objects/class-limitations.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/inc/objects/class-limitations.php b/inc/objects/class-limitations.php
index f06a17517..fdd64e000 100644
--- a/inc/objects/class-limitations.php
+++ b/inc/objects/class-limitations.php
@@ -478,6 +478,18 @@ public static function remove_limitations($slug, $id): void {
 
 		global $wpdb;
 
+		/*
+		 * $slug is used to build the meta table and column names below, so it
+		 * must never be taken from request input verbatim. Validate it against
+		 * a fixed allow-list of the models that actually carry limitations to
+		 * prevent SQL injection through the identifier.
+		 */
+		$allowed_models = ['membership', 'product', 'customer', 'site'];
+
+		if ( ! in_array($slug, $allowed_models, true)) {
+			return;
+		}
+
 		$wu_prefix = 'wu_';
 
 		/*