Homepage:
https://wordpress.org/plugins/product-catalog-8/
Description:
Type user access: any user.
$_POST[ ‘selectedCategory’ ] is not escaped. UpdateCategoryList() is accessible for any user.
File / Code:
Path: /wp-content/plugins/product-catalog-8/includes/ajax-functions.php
Line: 147
function UpdateCategoryList() {
global $wpdb, $subcategories_table;
global $wpdb;
$table = $subcategories_table;
$catid = $_POST['selectedCategory'];
if($catid !== '0') {
$get_items = $wpdb->get_results( "SELECT * FROM $table WHERE subcategory_category = $catid ORDER BY subcategory_name ASC" );
echo json_encode($get_items);
}
else {
$get_items = "";
echo json_encode($get_items);
}
die();
}
Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Send Post for:
OR
target => http://target/wp-admin/admin-ajax.php
post => 
Timeline:
- 12/11/2016 – Discovered
- 12/11/2016 – Vendor not found
boa garoto!