CVE-2022-0657

Name of the Vulnerable Software and Affected Versions 5 Stars Rating Funnel WordPress Plugin versions prior to 1.2.54

Description The issue arises from the improper sanitization, validation, and escaping of lead ids in SQL statements via the rrtngg delete leads AJAX action. This action is accessible to unauthenticated users, leading to an unauthenticated SQL injection issue. Although the sanitize text field() function is used in an attempt to sanitize the input, it is not designed to prevent SQL injections.

Recommendations For versions prior to 1.2.54, update to version 1.2.54 or later to resolve the issue. As a temporary workaround, consider disabling the rrtngg delete leads AJAX action until a patch is available. Restrict access to this action to minimize the risk of exploitation.