The Master Elements WordPress plugin through 8.0 does not...
Critical severity
Unreviewed
Published
Apr 26, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Apr 25, 2022
Published to the GitHub Advisory Database
Apr 26, 2022
Last updated
Jan 27, 2023
The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection
References