[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqtMi09CORkCnQD4VoSVeQOIR3FRVFfk49bYACNvhyOQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-39519","geekybot-ai-copilot-chatbot-woocommerce-lead-gen-zero-prompt-content-unauthenticated-sql-injection","GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content \u003C= 1.2.0 - Unauthenticated SQL Injection","The GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","geeky-bot",null,"\u003C=1.2.0","1.2.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-08 00:00:00","2026-04-13 21:10:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F351a035a-9768-4efd-9887-e0905e129634?source=api-prod",6,[22,23,24,25,26,27],"geeky-bot.php","includes\u002Factivation.php","includes\u002Fclasses\u002Fgeekybotsessiondata.php","modules\u002Fgeekybot\u002Fcontroller.php","modules\u002Fwoocommerce\u002Fmodel.php","readme.txt","researched",false,3,"This research plan outlines the steps to exploit an unauthenticated SQL injection vulnerability in the **GeekyBot** plugin for WordPress (versions \u003C= 1.2.0).\n\n### 1. Vulnerability Summary\nThe GeekyBot plugin is vulnerable to SQL injection because it uses the `geekybot_chat_id` cookie value directly in SQL queries without sanitization or parameterization via `$wpdb->prepare()`. Specifically, the value is retrieved via `geekybot_getchatid()` and concatenated into queries in `includes\u002Fclasses\u002Fgeekybotsessiondata.php`. Since this cookie can be set by any unauthenticated user, it provides a direct path for SQL injection.\n\n### 2. Attack Vector Analysis\n* **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action**: `geekybot_process_message` (unauthenticated AJAX action)\n* **Vulnerable Parameter**: `geekybot_chat_id` Cookie\n* **Authentication**: Unauthenticated\n* **Preconditions**: None. The plugin just needs to be active.\n\n### 3. Code Flow\n1. **Entry Point**: An unauthenticated user sends a request to `admin-ajax.php` with the action `geekybot_process_message`.\n2. **AJAX Handler**: The handler (likely in `geeky-bot.php`) calls the chatbot logic to process the message.\n3. **Session Initialization**: The code attempts to load or save session data using `GEEKYBOTgeekybotsessiondata::geekybot_addSessionVariablesDataToTable` or `geekybot_getVariablesDatabySessionId` (found in `includes\u002Fclasses\u002Fgeekybotsessiondata.php`).\n4. **Source**: These functions call `GEEKYBOTchathistoryModel::geekybot_getchatid()` which retrieves the value of `$_COOKIE['geekybot_chat_id']`.\n5. **Sink**: The value is concatenated into a raw SQL query string:\n ```php\n \u002F\u002F includes\u002Fclasses\u002Fgeekybotsessiondata.php\n $query = \"SELECT sessionmsgvalue FROM `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` \n WHERE sessionmsgkey = '\" . $key . \"' \n AND usersessionid = '\" . $chatid . \"' \n AND sessionexpire > '\" . time() . \"'\";\n $data = geekybotdb::GEEKYBOT_get_row($query);\n ```\n6. **Execution**: `geekybotdb::GEEKYBOT_get_row` executes the unsanitized query, leading to SQL injection.\n\n### 4. Nonce Acquisition Strategy\nThe chatbot typically requires a nonce for its AJAX requests. This nonce is usually localized into the page's JavaScript.\n\n1. **Identify Shortcode**: The chatbot is often site-wide but may require the `[geeky-bot]` or `[geekybot]` shortcode.\n2. **Create Page**:\n `wp post create --post_type=page --post_status=publish --post_content='[geekybot]'`\n3. **Navigate and Extract**:\n - Use `browser_navigate` to visit the new page.\n - Use `browser_eval` to extract the nonce:\n ```javascript\n \u002F\u002F Common variable name for this plugin's","The GeekyBot plugin for WordPress is vulnerable to unauthenticated SQL injection due to the use of unsanitized values from the 'geekybot_chat_id' cookie in database queries. Attackers can manipulate this cookie to append arbitrary SQL commands to existing queries, potentially allowing for the extraction of sensitive information from the database.","\u002F\u002F includes\u002Fclasses\u002Fgeekybotsessiondata.php\n\npublic function geekybot_addSessionVariablesDataToTable($messages){\n \u002F\u002F ... (lines 21-23)\n if(isset($_COOKIE['geekybot_chat_id'])){\n $chatid = GEEKYBOTincluder::GEEKYBOT_getModel('chathistory')->geekybot_getchatid();\n foreach ($messages as $key => $value) {\n $value = addslashes($value);\n if ($key != 'chathistory') {\n $data = $this->geekybot_getVariablesDatabySessionId($chatid, $key);\n if($data != \"\"){\n $update = true;\n } else {\n $update = false;\n }\n if(!$update){\n $query = \"INSERT INTO `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` (`usersessionid`, `sessionmsgkey`, `sessionmsgvalue`, `sessionexpire`) VALUES ('\".$chatid.\"', '\".$key.\"', '\".$value.\"', '\".geekybot::$_geekybotsession->sessionexpire.\"');\";\n geekybot::$_db->query($query);\n }else{\n $query = \"UPDATE `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` SET `sessionmsgvalue` = '\".$value.\"' WHERE `usersessionid`= '\" . $chatid . \"' AND `sessionmsgkey`= '\" . $key . \"' \";\n geekybotdb::query($query);\n }\n }\n }\n }\n return false;\n}\n\n---\n\n\u002F\u002F includes\u002Fclasses\u002Fgeekybotsessiondata.php\n\npublic function geekybot_getVariablesDatabySessionId($usersessionid, $key = '' , $deldata = false){\n $query = \"SELECT sessionmsgvalue\n FROM `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` WHERE sessionmsgkey = '\" . $key . \"' AND usersessionid = '\" . $usersessionid . \"' AND sessionexpire > '\" . time() . \"'\";\n $data = geekybotdb::GEEKYBOT_get_row($query);\n if($deldata){\n $query = \"DELETE FROM `\".geekybot::$_db->prefix . \"geekybot_sessiondata` WHERE usersessionid = '\".$usersessionid.\"' \";\n geekybotdb::query($query);\n }\n return $data;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeeky-bot\u002F1.2.0\u002Fincludes\u002Fclasses\u002Fgeekybotsessiondata.php\t2026-02-13 04:41:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeeky-bot\u002F1.2.1\u002Fincludes\u002Fclasses\u002Fgeekybotsessiondata.php\t2026-03-04 04:57:30.000000000 +0000\n@@ -21,9 +21,13 @@\n $update = false;\n if(isset($_COOKIE['geekybot_chat_id'])){\n $chatid = GEEKYBOTincluder::GEEKYBOT_getModel('chathistory')->geekybot_getchatid();\n+ $chatid = esc_sql( sanitize_text_field($chatid) );\n foreach ($messages as $key => $value) {\n $value = addslashes($value);\n if ($key != 'chathistory') {\n+ $key = esc_sql( sanitize_text_field($key) );\n+ $value = esc_sql( sanitize_text_field($value) );\n+\n $data = $this->geekybot_getVariablesDatabySessionId($chatid, $key);\n if($data != \"\"){\n $update = true;\n@@ -31,7 +35,8 @@\n $update = false;\n }\n if(!$update){\n- $query = \"INSERT INTO `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` (`usersessionid`, `sessionmsgkey`, `sessionmsgvalue`, `sessionexpire`) VALUES ('\".$chatid.\"', '\".$key.\"', '\".$value.\"', '\".geekybot::$_geekybotsession->sessionexpire.\"');\";\n+ $sessionexpire = esc_sql( sanitize_text_field(geekybot::$_geekybotsession->sessionexpire) );\n+ $query = \"INSERT INTO `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` (`usersessionid`, `sessionmsgkey`, `sessionmsgvalue`, `sessionexpire`) VALUES ('\".$chatid.\"', '\".$key.\"', '\".$value.\"', '\".$sessionexpire.\"');\";\n geekybot::$_db->query($query);\n }else{\n $query = \"UPDATE `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` SET `sessionmsgvalue` = '\".$value.\"' WHERE `usersessionid`= '\" . $chatid . \"' AND `sessionmsgkey`= '\" . $key . \"' \";\n@@ -60,8 +76,14 @@\n }\n \n public function geekybot_getVariablesDatabySessionId($usersessionid, $key = '' , $deldata = false){\n+ $usersessionid = esc_sql( sanitize_text_field($usersessionid) );\n+ $key = esc_sql( sanitize_text_field($key) );\n+ $time = time();\n+\n $query = \"SELECT sessionmsgvalue\n- FROM `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` WHERE sessionmsgkey = '\" . $key . \"' AND usersessionid = '\" . $usersessionid . \"' AND sessionexpire > '\" . time() . \"'\";\n+ FROM `\" . geekybot::$_db->prefix . \"geekybot_sessiondata` WHERE sessionmsgkey = '\" . $key . \"' AND usersessionid = '\" . $usersessionid . \"' AND sessionexpire > '\" . $time . \"'\";\n+\n $data = geekybotdb::GEEKYBOT_get_row($query);\n if($deldata){\n $query = \"DELETE FROM `\".geekybot::$_db->prefix . \"geekybot_sessiondata` WHERE usersessionid = '\".$usersessionid.\"' \";","To exploit this vulnerability, an unauthenticated attacker needs to follow these steps:\n\n1. **Locate Interaction Point**: Identify a page on the target WordPress site where the GeekyBot chatbot is active. This is common if the site uses the `[geekybot]` shortcode or has the chatbot globally enabled.\n2. **Craft Payload**: Prepare a malicious SQL payload designed to extract data or cause delays (e.g., using `UNION SELECT` or boolean-based techniques). \n3. **Set Cookie**: Inject the payload into the `geekybot_chat_id` cookie. Since the plugin retrieves this cookie via `geekybot_getchatid()` and concatenates it directly into SQL queries within `includes\u002Fclasses\u002Fgeekybotsessiondata.php`, the payload will be executed.\n4. **Trigger Execution**: Send an AJAX request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `geekybot_process_message`. This action triggers the chatbot logic, which subsequently calls session management functions that utilize the malicious cookie value in database queries.\n5. **Data Extraction**: Observe the server's response or use time-based analysis (if using a sleep-based payload) to confirm the execution of the injected SQL and extract database information.","gemini-3-flash-preview","2026-04-17 20:06:12","2026-04-17 20:07:19",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags"]