Add a couple esc_sql() calls to ensure filtered table names are safe

Author: stevegrunwell

includes/class-wc-order-data-store-custom-table.php

@@ -566,7 +566,7 @@ public static function posts_join( $join, $wp_query ) {
 			$join = preg_replace( $regex, '', $join );
 		}
 
-		$table = wc_custom_order_table()->get_table_name();
+		$table = esc_sql( wc_custom_order_table()->get_table_name() );
 		$join .= " LEFT JOIN {$table} ON ( {$wpdb->posts}.ID = {$table}.order_id ) ";
 
 		// Don't necessarily apply this to subsequent posts_join filter callbacks.
@@ -590,7 +590,7 @@ public static function meta_query_where( $where, $wp_query ) {
 		global $wpdb;
 
 		$meta_query = $wp_query->get( 'wc_order_meta_query' );
-		$table      = wc_custom_order_table()->get_table_name();
+		$table      = esc_sql( wc_custom_order_table()->get_table_name() );
 
 		if ( empty( $meta_query ) ) {
 			return $where;
@@ -650,7 +650,7 @@ public static function filter_order_report_query( $query ) {
 			'post_id'     => false,
 			'post_parent' => false,
 		);
-		$table        = wc_custom_order_table()->get_table_name();
+		$table        = esc_sql( wc_custom_order_table()->get_table_name() );
 		$replacements = array();
 
 		foreach ( $matches[0] as $key => $value ) {