ExpressionEngine Structure Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Structure plugin for ExpressionEngine. This issue arises in the delete_channels() function, where user input from the channel_ids parameter is directly inserted into SQL queries without adequate sanitization. Although exploitation requires access to the admin panel, a limited-privilege admin could potentially exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker could manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.