Le Hong Minh

**Name of the Vulnerable Software and Affected Versions** Simple Ads Manager plugin versions prior to 2.7.97 for WordPress **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different actions to specific API endpoints, such as the "hits[][]" parameter in a "sam hits" action to "sam-ajax.php", the "cstr" parameter in a "load posts" action to "sam-ajax-admin.php", the "searchTerm" parameter in a "load combo data" action to "sam-ajax-admin.php", or various role parameters (`subscriber`, `contributor`, `author`, `editor`, `admin`, or `sadmin`) in a "load users" action to "sam-ajax-admin.php". **Recommendations** For Simple Ads Manager plugin versions prior to 2.7.97, update to version 2.7.97 or later to resolve the issue. As a temporary workaround, consider restricting access to the "sam-ajax.php" and "sam-ajax-admin.php" endpoints until the update is applied. Additionally, limiting the use of the vulnerable parameters (`hits[][]`, `cstr`, `searchTerm`, `subscriber`, `contributor`, `author`, `editor`, `admin`, or `sadmin`) in the respective actions can help minimize the risk of exploitation.