WordPress WP Brutal AI plugin versions prior to 2.0.0 suffer from cross site request forgery and remote SQL injection vulnerabilities.
advisories | CVE-2023-2601
WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRF
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.
WP Brutal AI - Fixed in version 2.0.0
Proof of Concept:
When there is a created campaign, access the following link as an admin:
OWASP top 10 A1: Sql Injection (SQLi)