The Sorter <= 1.0 - Authenticated SQL Injection

An authenticated attacker with Administrator-level access can exploit the SQL injection by sending a crafted `area_id` parameter in a POST request to the `the_sorter_areas` admin page [ref_id=1]. The payload is inserted unsanitized into a SELECT query, enabling time-based blind SQL injection using MySQL's `SLEEP()` function [ref_id=1]. The advisory demonstrates a proof-of-concept request where `area_id=1 AND (SELECT 7667 FROM (SELECT(SLEEP(5)))DWBj)` causes a 5-second delay, confirming the injection [ref_id=1].

The vulnerable file is `items.php` at line 218, where the `area_id` parameter from `$_POST` is concatenated directly into a SQL query without sanitization, escaping, or validation [ref_id=1]. The query is executed via `$wpdb->get_row()` against the `SORTER_TB_ITEMS` table [ref_id=1].

The advisory does not include a patch diff, but the remediation would require sanitizing, escaping, or validating the `area_id` parameter before using it in the SQL query, such as casting it to an integer or using `$wpdb->prepare()` with a placeholder [ref_id=1]. Without such changes, the unsanitized concatenation of user input into the SQL statement allows arbitrary SQL commands to be executed [ref_id=1].