AP Custom Testimonial < 1.4.8 - Admin+ SQL Injection

An attacker with Admin+ privileges can inject arbitrary SQL by manipulating the `id` parameter when editing a testimonial [ref_id=1]. The plugin fails to validate and escape this parameter before incorporating it into a SQL query [CWE-89]. This allows the attacker to read, modify, or delete database contents beyond the intended testimonial record. The attack requires authentication at the Administrator level.

The vulnerability exists in the AP Custom Testimonial WordPress plugin (slug: ap-custom-testimonial) before version 1.4.7. The `id` parameter is not validated or escaped before being used in a SQL statement when retrieving a testimonial to edit [ref_id=1]. The specific file and function are not detailed in the advisory, but the flaw is in the testimonial editing functionality.

The advisory states the vulnerability is fixed in version 1.4.8 [ref_id=1]. The patch (available at the referenced Trac changeset) adds proper validation and escaping of the `id` parameter before it is used in the SQL statement. No further details about the specific sanitization function used are provided in the advisory.