CVE-2023-28659

An authenticated attacker (any role, including subscriber) sends a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to pbc_save_downs and a malicious payload in the pbc_down[meta][id] parameter [ref_id=1]. The payload contains SQL injection syntax (e.g., `1 OR (SELECT 1 FROM (SELECT(SLEEP(1)))a)--`) that is not sanitized before being interpolated into a SQL query, allowing the attacker to execute arbitrary SQL commands [ref_id=1]. The attack requires a valid WordPress session cookie but no special privileges beyond being logged in [ref_id=1].

The advisory [ref_id=1] identifies the pbc_save_downs action handler as the vulnerable code path. The pbc_down[meta][id] parameter is passed unsanitized into a SQL statement. No specific file or function names are provided in the bundle.

No patch is included in the bundle. The advisory [ref_id=1] identifies that versions <= 0.6.2 are affected and recommends that the plugin properly escape the pbc_down[meta][id] parameter before using it in a SQL statement. The remediation would involve applying WordPress's built-in data sanitization functions (such as `$wpdb->prepare()`) to the user-supplied input to prevent SQL injection.

curl "http://$TARGET_HOST/wp-admin/admin-ajax.php" --header "$WP_COOKIE" --data "action=pbc_save_downs&pbc_down[meta][id]=1+OR+(SELECT+1+FROM+(SELECT(SLEEP(1)))a)--" [ref_id=1]