SQL Injection Vulnerability in KBoard-wordpress-plugin

[honeyakshat999]

Description

SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.

Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system.
The extension for wordpress at https://github.com/cosmosfarm/KBoard-wordpress-plugin/ contain SQL Injection vulnerability.

As mentioned above the file https://github.com/cosmosfarm/KBoard-wordpress-plugin/blob/master/plugins/kboard/class/KBAdminController.class.php contains the following code:

			$board_id = isset($_POST['board_id'])?intval($_POST['board_id']):'';
			$target = isset($_POST['target'])?sanitize_text_field($_POST['target']):'';
			$before_category = isset($_POST['before_category'])?sanitize_text_field($_POST['before_category']):'';
			$after_category = isset($_POST['after_category'])?sanitize_text_field($_POST['after_category']):'';
			
			$target   = esc_sql($target);
			$before_category = esc_sql($before_category);
			$after_category = esc_sql($after_category);
			
			$updated_count = $wpdb->query("UPDATE `{$wpdb->prefix}kboard_board_content` SET `{$target}`='{$after_category}'     WHERE `board_id`='{$board_id}' AND `{$target}`='{$before_category}'");

Steps to Reproduce

• Navigate to the following github Url and analyze the source code for the line no 645.
  URL: https://github.com/cosmosfarm/KBoard-wordpress-plugin/blob/master/plugins/kboard/class/KBAdminController.class.php#L645

Proof of Concept: