Tittle:
WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRF

References:
CVE-2023-2601

Author:
Taurus Omar 

Description:
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

Affects Plugins:
WP Brutal AI - Fixed in version 2.0.0

Proof of Concept:

When there is a created campaign, access the following link as an admin:

https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1+and+sleep%2815%29 

Classification:
Type SQLi 
OWASP top 10 A1: Sql Injection (SQLi)
CWE-89

wpScan:
https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-44ec1d59f5fd