Exploitation Research Plan: CVE-2026-2831 - MailArchiver SQL Injection

1. Vulnerability Summary

The MailArchiver plugin for WordPress (versions <= 4.5.0) is vulnerable to an authenticated SQL injection via the logid parameter. The vulnerability exists because the plugin fails to properly sanitize or prepare SQL queries when fetching specific mail log details from the database. An attacker with Administrator-level access can manipulate the logid parameter to execute arbitrary SQL commands, potentially leading to sensitive data extraction from the WordPress database.

2. Attack Vector Analysis

• Endpoint: Administrative dashboard, likely wp-admin/admin.php or wp-admin/admin-ajax.php.
• Vulnerable Parameter: logid (likely via $_GET or $_REQUEST).
• Authentication: Required (Administrator+).
• Action/Page: Likely a "View Log" or "Details" sub-page within the MailArchiver menu.
• Preconditions:
  • Plugin installed and activated.
  • At least one mail log must exist in the database (to trigger the vulnerable code path).
  • Administrator credentials.

3. Code Flow (Inferred)

1. The user navigates to the MailArchiver log management page.
2. The user clicks to view details of a specific log entry.
3. The request is sent to an admin page handler (e.g., admin_menu callback) or an AJAX handler.
4. The handler retrieves the logid from the request: $logid = $_GET['logid'];.
5. The plugin constructs an SQL query using string concatenation:
   $wpdb->get_row("SELECT * FROM {$wpdb->prefix}mailarchiver_logs WHERE id = " . $logid); (Inferred logic).
6. Because $wpdb->prepare() is not used and the input is not cast to an integer or escaped, SQL injection occurs.

4. Nonce Acquisition Strategy

Administrative pages in WordPress almost always utilize nonces for CSRF protection (check_admin_referer or check_ajax_referer).

1. Identify the Menu Slug: Search the code for add_menu_page or add_submenu_page in the mailarchiver directory to find the log page slug.
2. Navigate: Use browser_navigate to the identified admin page.
3. Extract Nonce:
   • If the exploit is via a URL link: The nonce is usually in the _wpnonce query parameter.
   • If the exploit is via a form/AJAX: The nonce is often localized in a JS variable or a hidden input.
   • Recommended Action: Navigate to the logs list page and use browser_eval to find the "View" link for an existing log:

     // Example: Find the first link that contains 'logid' and extract its _wpnonce
     Array.from(document.querySelectorAll('a'))
       .find(a => a.href.includes('logid'))
       ?.href.match(/_wpnonce=([a-f0-9]+)/)?.[1]
     

5. Exploitation Strategy

We will use a Time-Based Blind SQL Injection payload to confirm the vulnerability, as it is the most reliable method when output might not be directly reflected.

Step-by-Step Plan:

1. Login: Use http_request to authenticate as an administrator.
2. Generate Test Data: Ensure at least one log entry exists (see section 6).
3. Identify Endpoint: Locate the exact URL for viewing a log (e.g., /wp-admin/admin.php?page=mailarchiver-logs&action=view&logid=1).
4. Extract Nonce: Use browser_navigate and browser_eval as described in section 4.
5. Execution (Baseline): Send a legitimate request to the endpoint and measure response time.
6. Execution (Attack): Send a request with a SLEEP payload in the logid parameter.

Sample Request:

• Method: GET
• URL: http://localhost:8080/wp-admin/admin.php
• Query Parameters:
  • page: mailarchiver_logs (inferred)
  • action: view (inferred)
  • logid: 1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)
  • _wpnonce: [EXTRACTED_NONCE]

6. Test Data Setup

1. Activate Plugin: Ensure mailarchiver is active.
2. Create Admin: Ensure an admin user exists (default: admin/password).
3. Generate a Log:
   • Send a test email using WordPress (e.g., password reset request or a test mail plugin).
   • Alternatively, use WP-CLI to insert a dummy log if the table schema is known:
     wp db query "INSERT INTO wp_mailarchiver_logs (subject, recipient) VALUES ('Test Subject', 'test@example.com')" (Note: Agent must verify table name first using wp db tables).

7. Expected Results

• Baseline Request: Responds in < 500ms.
• Attack Request: Responds in > 5000ms.
• Error-Based (Optional): If WP_DEBUG is on, providing logid=1' may return a database syntax error in the HTML.

8. Verification Steps

After the HTTP request, verify the injection's reach by extracting the database version:

1. Payload: logid=1 AND (SELECT 1 FROM (SELECT(IF(VERSION() LIKE '8%', SLEEP(5), 0)))a)
2. If the delay occurs, we have confirmed the ability to exfiltrate data character-by-character.

9. Alternative Approaches

• UNION-Based: If the log details are displayed on the page, attempt to find the column count using ORDER BY and then use UNION SELECT to display user_pass from wp_users in place of the log body.
• AJAX Endpoint: Check if the view action is handled via admin-ajax.php. Search for add_action('wp_ajax_mailarchiver_.... If found, the request should be a POST to wp-admin/admin-ajax.php with the action and logid parameters.

Discovery Commands for the Agent:

# 1. Find where logid is used in queries
grep -rP '\$wpdb->.*logid' wp-content/plugins/mailarchiver/

# 2. Find the admin menu registration to get the 'page' slug
grep -r "add_menu_page" wp-content/plugins/mailarchiver/

# 3. Check for nonce verification in the handler
grep -rE "check_admin_referer|check_ajax_referer|wp_verify_nonce" wp-content/plugins/mailarchiver/