If you look here at method "paginate": https://github.com/mislav/will_paginate/blob/v2.3.15/lib/will_paginate/finder.rb
You can see that's used the method_missing to go to find_by_sql in some cases that through the "order" parameter can be exposed to sql injection attacks.
Someone already solved this possible issue?
A simple solution would be to not let users be able to define the order parameter directly.
Still, I can't see the attack vector that you describe. paginate_by_sql doesn't take an "order" parameter.