Hello,
1. Blind SQL injection (MSP_DB::ms_query)
Authenticated users (like editors) can execute arbitrary sql commands (there is no CSRF protection)
Url: GET
Vulnerable parameters: orderby
Example PHP callstack:
/master-slider/admin/views/slider-dashboard/list-sliders.php:6
MSP_List_Table::prepare_items [/master-slider/admin/includes/classes/class-msp-list-table.php:186]
MSP_List_Table::get_total_count [/master-slider/admin/includes/classes/class-msp-list-table.php:166]
MSP_List_Table::get_records [/master-slider/admin/includes/classes/class-msp-list-table.php:159]
MSP_DB::get_sliders [/master-slider/includes/classes/class-msp-db.php:552]
MSP_DB::get_sliders_list [/master-slider/includes/classes/class-msp-db.php:534]
MSP_DB::ms_query [/master-slider/includes/classes/class-msp-db.php:509]
wpdb::get_results
Verification:
--
Regards,
Marcin Probola,