The Smart Manager plugin version 8.27.0 is vulnerable to a post-authenticated SQL injection due to improper sanitization of input parameters. Attackers with high privileges like administrators can exploit this issue by manipulating the 'sort_params%5BsortOrder%5D' and 'sort_params%5Bcolumn%5D' parameters in the admin AJAX endpoint (/wp-admin/admin-ajax.php). This allows attackers to inject malicious SQL commands, resulting in a time-based SQL injection vulnerability.
Services By CQR