Sirv <= 1.3.1 - Authenticated SQL Injection

$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user. $id = $_POST[‘row_id’]; $row = $wpdb->get_row(“SELECT * FROM $table_name WHERE id = $id”, ARRAY_A); $row[‘images’] = unserialize($row[‘images’]); echo json_encode($row);

PoC