[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3C1Mz6jVr1zQXmuySGrnQeSFLEDo0BcvZYJ4GnxxmTE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32365","collapsing-archives-authenticated-contributor-sql-injection","Collapsing Archives \u003C= 3.0.7 - Authenticated (Contributor+) SQL Injection","The Collapsing Archives plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","collapsing-archives",null,"\u003C=3.0.7","3.0.8","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-16 00:00:00","2026-04-15 20:51:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1689c9bc-4af8-437a-b403-6af9ca4fd959?source=api-prod",59,[22,23,24],"collapsArch.php","collapsArchList.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32365\n\n## 1. Vulnerability Summary\nThe **Collapsing Archives** plugin (versions \u003C= 3.0.7) is vulnerable to an authenticated SQL injection (Contributor+ level) due to improper sanitization and preparation of user-supplied parameters within its Gutenberg block attributes. Specifically, the parameters `inExcludeYears`, `sort`, and `post_type` are concatenated directly into SQL queries within the `list_archives()` function in `collapsArchList.php`.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Hook:** Gutenberg block rendering (Gutenberg blocks pass attributes to a server-side `render_callback`).\n- **Endpoint:** Any page or post where a Contributor (or higher) can insert a block, or the REST API `block-renderer` endpoint.\n- **Vulnerable Parameters:** `inExcludeYears`, `sort`, `post_type`.\n- **Authentication:** Authenticated (Contributor+). Contributors can create posts and define block attributes.\n- **Preconditions:** The plugin must be active, and the attacker must have a user account with `contributor`, `author`, `editor`, or `administrator` roles.\n\n## 3. Code Flow\n1. **Entry Point:** A Contributor creates or edits a post containing the `create-block\u002Fcollapsing-archives` block (registered in `collapsArch.php` via `create_block_collapsArch_block_init`).\n2. **Registration","The Collapsing Archives plugin for WordPress is vulnerable to SQL Injection due to the direct concatenation of block attributes like 'inExcludeYears' into SQL queries without proper sanitization or use of prepared statements. This allows authenticated users with Contributor-level permissions or higher to execute arbitrary SQL commands and extract sensitive information from the database.","\u002F\u002F collapsArchList.php lines 64-80\n\tif ( !empty($inExcludeYear) && !empty($inExcludeYears) ) {\n\t\t$exterms = preg_split('\u002F[,]+\u002F',$inExcludeYears);\n    if ($inExcludeYear=='include') {\n      $in='IN';\n    } else {\n      $in='NOT IN';\n    }\n\t\tif ( count($exterms) ) {\n\t\t\tforeach ( $exterms as $exterm ) {\n\t\t\t\tif (empty($inExclusionsYear))\n\t\t\t\t\t$inExclusionsYear = \"'\" .$exterm . \"'\";\n\t\t\t\telse\n\t\t\t\t\t$inExclusionsYear .= \", '\" . $exterm . \"' \";\n\t\t\t}\n\t\t}\n\t}\n\tif ( empty($inExclusionsYear) ) {\n\t\t$inExcludeYearQuery = \"\";\n  } else {\n    $inExcludeYearQuery =\"AND YEAR($wpdb->posts.post_date) $in ($inExclusionsYear)\";\n  }\n\n---\n\n\u002F\u002F collapsArchList.php lines 91-106\n  $postquery= \"SELECT $wpdb->terms.slug, $wpdb->posts.ID,\n    $wpdb->posts.post_name, $wpdb->posts.post_title, $wpdb->posts.post_author,\n    $wpdb->posts.post_date, YEAR($wpdb->posts.post_date) AS 'year',\n    MONTH($wpdb->posts.post_date) AS 'month' ,\n    $wpdb->posts.post_type\n    FROM $wpdb->posts LEFT JOIN $wpdb->term_relationships ON $wpdb->posts.ID =\n    $wpdb->term_relationships.object_id\n\t\tLEFT JOIN $wpdb->term_taxonomy ON $wpdb->term_taxonomy.term_taxonomy_id =\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t$wpdb->term_relationships.term_taxonomy_id\n\t\tLEFT JOIN $wpdb->terms ON $wpdb->terms.term_id =\n\t\t                          $wpdb->term_taxonomy.term_id\n  WHERE post_status='publish' $postTypeQuery $inExcludeYearQuery $inExcludeCatQuery\n  GROUP BY $wpdb->posts.ID\n  ORDER BY $wpdb->posts.post_date $sort\";\n\n  $allPosts=$wpdb->get_results($postquery);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcollapsing-archives\u002F3.0.7\u002FcollapsArchList.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcollapsing-archives\u002F3.0.8\u002FcollapsArchList.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcollapsing-archives\u002F3.0.7\u002FcollapsArchList.php\t2025-05-05 06:53:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcollapsing-archives\u002F3.0.8\u002FcollapsArchList.php\t2026-02-12 03:40:52.000000000 +0000\n@@ -52,28 +52,28 @@\n   } else {\n     $inExcludeCatQuery =\"AND $wpdb->terms.slug $in ($inExclusionsCat)\";\n   }\n-\t$inExclusionsYear = array();\n+\t$inExcludeYearQuery = \"\";\n \tif ( !empty($inExcludeYear) && !empty($inExcludeYears) ) {\n-\t\t$exterms = preg_split('\u002F[,]+\u002F',$inExcludeYears);\n-    if ($inExcludeYear=='include') {\n-      $in='IN';\n-    } else {\n-      $in='NOT IN';\n-    }\n+\t\t$exterms = preg_split('\u002F[,]+\u002F', $inExcludeYears);\n+\t\t\u002F\u002F Validate $inExcludeYear to prevent SQL injection.\n+\t\t$in = ( $inExcludeYear === 'include' ) ? 'IN' : 'NOT IN';\n \t\tif ( count($exterms) ) {\n+\t\t\t$sanitized_years = array();\n \t\t\tforeach ( $exterms as $exterm ) {\n-\t\t\t\tif (empty($inExclusionsYear))\n-\t\t\t\t\t$inExclusionsYear = \"'\" .$exterm . \"'\";\n-\t\t\t\telse\n-\t\t\t\t\t$inExclusionsYear .= \", '\" . $exterm . \"' \";\n+\t\t\t\t$year = absint( trim( $exterm ) );\n+\t\t\t\tif ( $year > 0 ) {\n+\t\t\t\t\t$sanitized_years[] = $year;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t\tif ( ! empty( $sanitized_years ) ) {\n+\t\t\t\t$placeholders = implode( ', ', array_fill( 0, count( $sanitized_years ), '%d' ) );\n+\t\t\t\t$inExcludeYearQuery = $wpdb->prepare(\n+\t\t\t\t\t\"AND YEAR($wpdb->posts.post_date) $in ($placeholders)\",\n+\t\t\t\t\t$sanitized_years\n+\t\t\t\t);\n \t\t\t}\n \t\t}\n \t}\n-\tif ( empty($inExclusionsYear) ) {\n-\t\t$inExcludeYearQuery = \"\";\n-  } else {\n-    $inExcludeYearQuery =\"AND YEAR($wpdb->posts.post_date) $in ($inExclusionsYear)\";\n-  }","To exploit this vulnerability, an attacker must have at least Contributor-level authentication. The attacker can then utilize the WordPress REST API block-renderer endpoint (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fcreate-block\u002Fcollapsing-archives`) or create a post containing the plugin's Gutenberg block. By manipulating the `attributes` object in the request, specifically the `inExcludeYears` parameter, the attacker can inject SQL syntax. For example, a payload such as `2024') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -` will break out of the string encapsulation in the `list_archives()` function, allowing the attacker to perform time-based blind SQL injection or extract data using UNION-based techniques.","gemini-3-flash-preview","2026-04-20 21:50:23","2026-04-20 21:51:12",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-archives\u002Ftags\u002F3.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcollapsing-archives.3.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-archives\u002Ftags\u002F3.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcollapsing-archives.3.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-archives\u002Ftags"]