This is also being flagged by WordFence and PatchStack:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/intuitive-custom-post-order/intuitive-custom-post-order-313-authenticated-admin-sql-injection
The Intuitive Custom Post Order plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.1.3, due to insufficient escaping on the user supplied ‘objects’ and ‘tags’ parameters and lack of sufficient preparation in the ‘update_options’ function as well as the ‘refresh’ function which runs queries on the same values. This allows authenticated attackers, with administrator permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note that this attack may only be practical on configurations where it is possible to bypass addslashes due to the database using a nonstandard character set such as GBK.
https://patchstack.com/database/vulnerability/intuitive-custom-post-order/wordpress-intuitive-custom-post-order-plugin-3-1-3-authenticated-admin-sql-injection-vulnerability
Wordfence discovered and reported this SQL Injection vulnerability in WordPress Intuitive Custom Post Order Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information. This vulnerability has not been known to be fixed yet.
A seasoned WordPress developer like myself can read the description and see that one must have Administrator access first to exploit the vulnerability, so it’s a rather edge case and rare scenario where this would be exploited, but nonetheless, infosec teams don’t generally have the same context, and thus just want to see these things patched.
Also eager to hear if this is on the roadmap – love the plugin! Thanks.
