WordPress Auction <= 3.7 - Editor+ SQL Injection

An attacker with Editor-level privileges or higher can exploit the unsanitized parameter before it is used in a SQL statement [ref_id=1]. The attacker sends a crafted HTTP request containing malicious SQL in the vulnerable parameter. Because the input is not escaped, the SQL injection payload is executed directly against the WordPress database [CWE-89]. This allows the attacker to extract, modify, or delete arbitrary data from the database.

The advisory does not specify the exact file or function name within the WordPress Auction plugin (slug: wp-auctions) that contains the vulnerable parameter. The plugin version through 3.7 is affected.

The advisory states that no known fix is available for the WordPress Auction plugin through version 3.7 [ref_id=1]. To remediate the vulnerability, the plugin should sanitize and escape the user-supplied parameter before including it in a SQL query, typically by using WordPress's `$wpdb->prepare()` method or similar parameterized query functions. Until a patched version is released, site administrators should restrict Editor-level access or disable the plugin.