WordPress Plugin Single Personal Message SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the WordPress plugin 'Single Personal Message' version 1.0.3. This vulnerability allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Exploitation of this vulnerability could lead to unauthorized access to sensitive database information, including user credentials and site configuration data.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to extract sensitive information from the database, such as user credentials and site configuration data.

Reproduction

To reproduce this vulnerability, log in as a registered user and navigate to the WordPress admin interface. Access the 'Simple Personal Message' plugin's outbox page. Inject a crafted SQL statement into the message parameter, such as a UNION SELECT payload, to exploit the SQL injection vulnerability and retrieve data from the database.