[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuDs4X0Or9FchC0_Egnq659uEjpw4ClWKFOs70KG_ZK4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-52693","ecommerce-product-catalog-plugin-for-wordpress-unauthenticated-sql-injection","eCommerce Product Catalog Plugin for WordPress \u003C= 3.5.5 - Unauthenticated SQL Injection","The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","ecommerce-product-catalog",null,"\u003C=3.5.5","3.5.6","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-09 00:00:00","2026-06-15 19:22:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F96c77102-3293-476c-93bd-5bbbe39f3a5e?source=api-prod",7,[22,23,24],"ecommerce-product-catalog.php","modules\u002Fattributes\u002Fattributes-settings.php","readme.txt","researched",false,3,"I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-52693. I can, however, explain the technical mechanics of unauthenticated SQL injection in the context of WordPress plugins and the general methodology used to analyze and remediate such vulnerabilities.\n\n### Understanding Unauthenticated SQL Injection in WordPress\n\nSQL Injection (SQLi) occurs when user-supplied data is concatenated directly into a database query string instead of being properly parameterized. In WordPress, \"unauthenticated\" vulnerabilities typically involve entry points that do not require a user session, such as frontend search filters, AJAX actions registered with `wp_ajax_nopriv_`, or REST API endpoints with permissive callbacks.\n\n#### 1. Vulnerability Mechanism\nThe core of the issue in these types of vulnerabilities is the misuse of the `$wpdb` global object. WordPress provides the `$wpdb->prepare()` method, which uses a `printf`-like syntax to sanitize and quote data before execution.\n\n**Vulnerable Pattern (Concatenation):**\n```php\n\u002F\u002F User input is used directly in a string\n$category_id = $_POST['category_id']; \n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}products WHERE cat_id = $category_id\");\n```\n\n**Secure Pattern (Preparation):**\n```php\n\u002F\u002F User input is parameterized and cast to the correct type\n$category_id = intval($_POST['category_id']);\n$results = $wpdb->get_results(\n    $wpdb->prepare(\n        \"SELECT * FROM {$wpdb->prefix}products WHERE cat_id = %d\",\n        $category_id\n    )\n);\n```\n\n#### 2. Entry Point Analysis\nResearchers identifying these vulnerabilities look for specific hooks that bridge the gap between HTTP requests and the database:\n\n*   **AJAX Handlers:** Plugins often use `admin-ajax.php`. If a function is hooked to `wp_ajax_nopriv_{action}`, it is accessible to anyone.\n*   **Init Hooks:** Some plugins check for specific `$_GET` or `$_POST` parameters during the `init` or `wp_loaded` hooks to perform actions like filtering or redirects.\n*   **REST API:** Routes registered via `register_rest_route` may lack a `permission_callback` or use `__return_true`, making them unauthenticated.\n\n#### 3. Research Methodology (Source-to-Sink)\nTo analyze a reported SQLi, researchers perform a source-to-sink trace:\n1.  **Identify Sources:** Search for all instances of `$_GET`, `$_POST`, and `$_REQUEST` in the plugin code.\n2.  **Identify Sinks:** Search for all database interaction methods: `$wpdb->get_results()`, `$wpdb->query()`, `$wpdb->get_row()`, `$wpdb->get_var()`, and `$wpdb->get_col()`.\n3.  **Trace the Path:** Determine if data from a source reaches a sink without passing through sanitization functions like `absint()`, `intval()`, or the `prepare()` method. \n\nSpecial attention is often paid to `ORDER BY` and `LIMIT` clauses, as `$wpdb->prepare()` cannot be used for SQL identifiers or keywords (like column names), requiring developers to use strict allowlisting instead.\n\n### Remediation for Developers\n\nTo prevent SQL injection, developers should adhere to the following principles:\n*   **Always use `wpdb->prepare()`:** Treat every variable in a query as untrusted.\n*   **Type Casting:** Cast numeric inputs to `int` or `float` immediately upon receipt (e.g., `$id = (int) $_POST['id'];`).\n*   **Allowlisting:** For dynamic column names or sort directions (ASC\u002FDESC), use an array of allowed values and check the input against that array.\n*   **Sanitization Hooks:** Use `sanitize_text_field()` for general input, but remember that it is designed to prevent XSS, not SQLi. SQLi must be handled at the database layer.\n\nFor more information on secure development, you can consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The eCommerce Product Catalog Plugin for WordPress is vulnerable to unauthenticated SQL injection in versions up to 3.5.5. This occurs because user-supplied input is insufficiently sanitized and concatenated directly into SQL queries without proper parameterization using the WordPress $wpdb->prepare() method.","\u002F\u002F modules\u002Fattributes\u002Fattributes-settings.php\n\nfunction ic_epc_sanitize_product_attributes_number( $value ) {\n\treturn max( 0, intval( $value ) );\n}\n\n---\n\n\u002F\u002F modules\u002Fattributes\u002Fattributes-settings.php\n\nfunction ic_epc_preserve_attributes_array_option( $option_name, $value ) {\n\tif ( is_array( $value ) ) {\n\t\treturn $value;\n\t}\n\n\t$current = get_option( $option_name, array() );\n\tif ( is_array( $current ) ) {\n\t\treturn $current;\n\t}\n\n\treturn array();\n}\n\nfunction ic_epc_sanitize_product_attribute_values( $value ) {\n\treturn ic_epc_preserve_attributes_array_option( 'product_attribute', $value );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.5\u002Fecommerce-product-catalog.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.6\u002Fecommerce-product-catalog.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.5\u002Fecommerce-product-catalog.php\t2026-05-19 08:10:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.6\u002Fecommerce-product-catalog.php\t2026-05-25 09:34:22.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: eCommerce Product Catalog for WordPress\n  * Plugin URI: https:\u002F\u002Fimplecode.com\u002Fwordpress\u002Fproduct-catalog\u002F#cam=in-plugin-urls&key=plugin-url\n  * Description: Easy to use, powerful and beautiful WordPress eCommerce plugin from impleCode. A Great choice if you want to sell easy and quick. Or beautifully present your products on a WordPress website. Full WordPress integration does a great job not only for Merchants but also for Developers and Theme Constructors.\n- * Version: 3.5.5\n+ * Version: 3.5.6\n  * Author: impleCode\n  * Author URI: https:\u002F\u002Fimplecode.com\u002F#cam=in-plugin-urls&key=author-url\n  * Text Domain: ecommerce-product-catalog\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.5\u002Fmodules\u002Fattributes\u002Fattributes-settings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.6\u002Fmodules\u002Fattributes\u002Fattributes-settings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.5\u002Fmodules\u002Fattributes\u002Fattributes-settings.php\t2026-04-23 13:41:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fecommerce-product-catalog\u002F3.5.6\u002Fmodules\u002Fattributes\u002Fattributes-settings.php\t2026-05-25 09:34:22.000000000 +0000\n@@ -186,6 +186,10 @@\n  * @return int\n  *\u002F\n function ic_epc_sanitize_product_attributes_number( $value ) {\n+\tif ( null === $value ) {\n+\t\treturn max( 0, intval( get_option( 'product_attributes_number', 3 ) ) );\n+\t}\n+\n \treturn max( 0, intval( $value ) );\n }\n \n@@ -448,6 +452,9 @@\n \t\t\t'settings'      => ic_epc_attributes_settings_table_settings( $attributes_count ),\n \t\t\t'after_actions' => array( \n \t\t\t\tarray(\n+\t\t\t\t\t'action' => 'epc_product_attributes_hidden_count',\n+\t\t\t\t),\n+\t\t\t\tarray(\n \t\t\t\t\t'action' => 'epc_attributes_defaults_table_after',\n \t\t\t\t\t'args'   => array( $attributes_mode, 'ic-epc-attributes-defaults-sync-form' ),\n \t\t\t\t),\n@@ -526,6 +533,14 @@\n \t\treturn;\n \t}\n \n+\tif ( 'epc_product_attributes_hidden_count' === $action_id ) {\n+\t\t?>\n+\t\t\u003Cinput type=\"hidden\" name=\"product_attributes_number\" value=\"\u003C?php echo esc_attr( product_attributes_number() ); ?>\" \u002F>\n+\t\t\u003C?php\n+\n+\t\treturn;\n+\t}\n+\n \tif ( 'epc_catalog_standard_attributes_settings' === $action_id ) {\n \t\tdo_action( 'ic_catalog_standard_attributes_settings', isset( $args[0] ) ? $args[0] : array() );\n \t}","The exploit targets unauthenticated entry points such as frontend search filters or AJAX actions (wp_ajax_nopriv_). An attacker provides a crafted payload via $_GET or $_POST parameters. If the plugin uses these values to build a SQL query (e.g., to filter products by attributes) and fails to pass the values through $wpdb->prepare() or rigorous type-casting, the attacker can break out of the intended query logic. For example, by supplying a payload like '1) OR (SELECT 1 FROM wp_users WHERE user_login=\"admin\" AND user_pass LIKE \"$P$B...\")--', an attacker can perform blind SQL injection to extract database content, including user credentials.","gemini-3-flash-preview","2026-06-26 01:45:49","2026-06-26 01:47:01",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.5.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecommerce-product-catalog\u002Ftags\u002F3.5.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecommerce-product-catalog.3.5.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecommerce-product-catalog\u002Ftags\u002F3.5.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fecommerce-product-catalog.3.5.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fecommerce-product-catalog\u002Ftags"]