[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fi0AEjwnfY6OPrPvj1uK68USrJSIHoJpV294pROWfJos":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-2831","mailarchiver-authenticated-admininistrator-sql-injection-via-logid-parameter","MailArchiver \u003C= 4.5.0 - Authenticated (Admininistrator+) SQL Injection via 'logid' Parameter","The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","mailarchiver",null,"\u003C=4.5.0","4.5.1","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-26 21:48:01","2026-02-27 11:22:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5bc8da1b-8095-46b5-8268-63bdddb4e629?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2831 - MailArchiver SQL Injection\n\n## 1. Vulnerability Summary\nThe **MailArchiver** plugin for WordPress (versions \u003C= 4.5.0) is vulnerable to an authenticated SQL injection via the `logid` parameter. The vulnerability exists because the plugin fails to properly sanitize or prepare SQL queries when fetching specific mail log details from the database. An attacker with Administrator-level access can manipulate the `logid` parameter to execute arbitrary SQL commands, potentially leading to sensitive data extraction from the WordPress database.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Administrative dashboard, likely `wp-admin\u002Fadmin.php` or `wp-admin\u002Fadmin-ajax.php`.\n*   **Vulnerable Parameter:** `logid` (likely via `$_GET` or `$_REQUEST`).\n*   **Authentication:** Required (Administrator+).\n*   **Action\u002FPage:** Likely a \"View Log\" or \"Details\" sub-page within the MailArchiver menu.\n*   **Preconditions:**\n    *   Plugin installed and activated.\n    *   At least one mail log must exist in the database (to trigger the vulnerable code path).\n    *   Administrator credentials.\n\n## 3. Code Flow (Inferred)\n1.  The user navigates to the MailArchiver log management page.\n2.  The user clicks to view details of a specific log entry.\n3.  The request is sent to an admin page handler (e.g., `admin_menu` callback) or an AJAX handler.\n4.  The handler retrieves the `logid` from the request: `$logid = $_GET['logid'];`.\n5.  The plugin constructs an SQL query using string concatenation:\n    `$wpdb->get_row(\"SELECT * FROM {$wpdb->prefix}mailarchiver_logs WHERE id = \" . $logid);` (Inferred logic).\n6.  Because `$wpdb->prepare()` is not used and the input is not cast to an integer or escaped, SQL injection occurs.\n\n## 4. Nonce Acquisition Strategy\nAdministrative pages in WordPress almost always utilize nonces for CSRF protection (`check_admin_referer` or `check_ajax_referer`).\n\n1.  **Identify the Menu Slug:** Search the code for `add_menu_page` or `add_submenu_page` in the `mailarchiver` directory to find the log page slug.\n2.  **Navigate:** Use `browser_navigate` to the identified admin page.\n3.  **Extract Nonce:**\n    *   If the exploit is via a URL link: The nonce is usually in the `_wpnonce` query parameter.\n    *   If the exploit is via a form\u002FAJAX: The nonce is often localized in a JS variable or a hidden input.\n    *   **Recommended Action:** Navigate to the logs list page and use `browser_eval` to find the \"View\" link for an existing log:\n        ```javascript\n        \u002F\u002F Example: Find the first link that contains 'logid' and extract its _wpnonce\n        Array.from(document.querySelectorAll('a'))\n          .find(a => a.href.includes('logid'))\n          ?.href.match(\u002F_wpnonce=([a-f0-9]+)\u002F)?.[1]\n        ```\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** payload to confirm the vulnerability, as it is the most reliable method when output might not be directly reflected.\n\n### Step-by-Step Plan:\n1.  **Login:** Use `http_request` to authenticate as an administrator.\n2.  **Generate Test Data:** Ensure at least one log entry exists (see section 6).\n3.  **Identify Endpoint:** Locate the exact URL for viewing a log (e.g., `\u002Fwp-admin\u002Fadmin.php?page=mailarchiver-logs&action=view&logid=1`).\n4.  **Extract Nonce:** Use `browser_navigate` and `browser_eval` as described in section 4.\n5.  **Execution (Baseline):** Send a legitimate request to the endpoint and measure response time.\n6.  **Execution (Attack):** Send a request with a `SLEEP` payload in the `logid` parameter.\n\n**Sample Request:**\n*   **Method:** GET\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php`\n*   **Query Parameters:**\n    *   `page`: `mailarchiver_logs` (inferred)\n    *   `action`: `view` (inferred)\n    *   `logid`: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n\n## 6. Test Data Setup\n1.  **Activate Plugin:** Ensure `mailarchiver` is active.\n2.  **Create Admin:** Ensure an admin user exists (default: `admin`\u002F`password`).\n3.  **Generate a Log:**\n    *   Send a test email using WordPress (e.g., password reset request or a test mail plugin).\n    *   Alternatively, use WP-CLI to insert a dummy log if the table schema is known:\n        `wp db query \"INSERT INTO wp_mailarchiver_logs (subject, recipient) VALUES ('Test Subject', 'test@example.com')\"` (Note: Agent must verify table name first using `wp db tables`).\n\n## 7. Expected Results\n*   **Baseline Request:** Responds in \u003C 500ms.\n*   **Attack Request:** Responds in > 5000ms.\n*   **Error-Based (Optional):** If `WP_DEBUG` is on, providing `logid=1'` may return a database syntax error in the HTML.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the injection's reach by extracting the database version:\n1.  **Payload:** `logid=1 AND (SELECT 1 FROM (SELECT(IF(VERSION() LIKE '8%', SLEEP(5), 0)))a)`\n2.  If the delay occurs, we have confirmed the ability to exfiltrate data character-by-character.\n\n## 9. Alternative Approaches\n*   **UNION-Based:** If the log details are displayed on the page, attempt to find the column count using `ORDER BY` and then use `UNION SELECT` to display `user_pass` from `wp_users` in place of the log body.\n*   **AJAX Endpoint:** Check if the view action is handled via `admin-ajax.php`. Search for `add_action('wp_ajax_mailarchiver_...`. If found, the request should be a POST to `wp-admin\u002Fadmin-ajax.php` with the `action` and `logid` parameters.\n\n### Discovery Commands for the Agent:\n```bash\n# 1. Find where logid is used in queries\ngrep -rP '\\$wpdb->.*logid' wp-content\u002Fplugins\u002Fmailarchiver\u002F\n\n# 2. Find the admin menu registration to get the 'page' slug\ngrep -r \"add_menu_page\" wp-content\u002Fplugins\u002Fmailarchiver\u002F\n\n# 3. Check for nonce verification in the handler\ngrep -rE \"check_admin_referer|check_ajax_referer|wp_verify_nonce\" wp-content\u002Fplugins\u002Fmailarchiver\u002F\n```","gemini-3-flash-preview","2026-04-18 22:55:12","2026-04-18 22:56:48",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","4.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailarchiver\u002Ftags\u002F4.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailarchiver.4.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailarchiver\u002Ftags\u002F4.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailarchiver.4.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailarchiver\u002Ftags"]