[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fonz7soPtk6wfvUEGdme2f2djCfm6FfdJOeDdw_YSpIQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-25378","nelio-ab-testing-authenticated-editor-sql-injection","Nelio AB Testing \u003C= 8.2.4 - Authenticated (Editor+) SQL Injection","The Nelio AB Testing plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","nelio-ab-testing",null,"\u003C=8.2.4","8.2.5","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-19 00:00:00","2026-02-24 19:20:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F558b27a3-548b-4df3-84aa-24331394f2fe?source=api-prod",6,[],"researched",false,3,"This research plan outlines the steps to identify and exploit CVE-2026-25378, an authenticated SQL injection vulnerability in the Nelio A\u002FB Testing plugin.\n\n### 1. Vulnerability Summary\n**CVE-2026-25378** is a SQL injection vulnerability in the **Nelio A\u002FB Testing** plugin (versions \u003C= 8.2.4). The flaw resides in the handling of user-supplied parameters within database queries used for reporting or experiment management. The plugin fails to adequately use `$wpdb->prepare()` or escape inputs, allowing an authenticated user with **Editor** privileges or higher to append arbitrary SQL commands. This can lead to the exfiltration of sensitive data, including administrator password hashes from the `wp_users` table.\n\n### 2. Attack Vector Analysis\n*   **Entry Point**: Likely a REST API route registered under the `nelio-ab-testing\u002Fv1` namespace or an AJAX action registered via `wp_ajax_`.\n*   **Vulnerable Parameter**: Parameters related to filtering or sorting experiment data (e.g., `id`, `experiment_id`, `orderby`, or `order`).\n*   **Authentication**: Editor-level account (or higher).\n*   **Preconditions**: The plugin must be active, and at least one experiment may need to exist to trigger the relevant query logic.\n\n### 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers a REST route (e.g., in `includes\u002Fclass-nelio-ab-testing-api.php` or `includes\u002Fnelio-ab-testing-functions.php`) with a `permission_callback` that checks for `edit_posts` or `manage_options`.\n2.  **Request Handling**: A request is sent to an endpoint like `\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fstats` or `\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fget-data`.\n3.  **Data Processing**: The handler function retrieves parameters from the `WP_REST_Request` object (e.g., `$request->get_param( 'id' )`).\n4.  **The Sink**: The parameter is concatenated directly into a SQL string or passed to a helper function that builds a query without using `$wpdb->prepare()`.\n5.  **Execution**: `$wpdb->get_results()` is called with the malicious query string.\n\n### 4. Nonce Acquisition Strategy\nThe Nelio A\u002FB Testing plugin uses the standard WordPress REST API for its dashboard. To interact with these endpoints, a valid REST API nonce is required in the `X-WP-Nonce` header.\n\n1.  **Preparation**: Create an Editor user and a page containing the Nelio dashboard scripts.\n2.  **Navigation**: Navigate to the Nelio A\u002FB Testing dashboard page (`\u002Fwp-admin\u002Fadmin.php?page=nelio-ab-testing-main`) while logged in as an Editor.\n3.  **Extraction**: The REST nonce is typically localized in the `wpApiSettings` object.\n    *   **Action**: Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.wpApiSettings?.nonce\")`\n4.  **Alternative**: If the plugin localizes its own settings, check:\n    *   `browser_eval(\"window.nelioAbTestingSettings?.nonce\")` (inferred)\n\n### 5. Exploitation Strategy\nWe will attempt a **Time-Based Blind SQL Injection** first, as it is most reliable for data extraction when results might not be directly reflected.\n\n*   **Endpoint**: `\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fstats` (inferred - common for reporting plugins).\n*   **Method**: GET or POST (depending on route registration).\n*   **Payload (Time-based)**:\n    `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n*   **HTTP Request (Example)**:\n    ```http\n    POST \u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fstats\n    Host: localhost:8080\n    X-WP-Nonce: [EXTRACTED_NONCE]\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    id=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\n    ```\n*   **Payload (Union-based - if output reflected)**:\n    `1' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users-- -`\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Install and activate Nelio A\u002FB Testing version 8.2.4.\n2.  **Create User**: Create a user with the `editor` role.\n    *   `wp user create attacker attacker@example.com --role=editor --user_pass=password`\n3.  **Initialize Plugin**: Some plugins require a \"setup\" or a first experiment to populate tables.\n    *   Use `wp post create --post_type=nab_experiment --post_title=\"Test Experiment\" --post_status=publish` (inferred post type).\n4.  **Identify Route**: Use `wp rest route list` to find all registered routes under the `nelio-ab-testing` namespace.\n\n### 7. Expected Results\n*   **Vulnerability Confirmation**: A request with a `SLEEP(5)` payload should result in a response time significantly greater than 5 seconds.\n*   **Data Exposure**: Successful extraction of the `user_pass` hash for the user with `ID = 1` (the administrator).\n\n### 8. Verification Steps\nAfter the HTTP exploit, verify the database state and the payload's effect:\n1.  **Check SQL execution**: If possible, enable the General Query Log in MySQL to see the final rendered query.\n2.  **Verify Admin Hash**: Use WP-CLI to get the actual admin hash and compare it with the exfiltrated value.\n    *   `wp user get 1 --field=user_pass`\n\n### 9. Alternative Approaches\n*   **Boolean-based Blind**: If time-based is blocked or unstable, compare the response length\u002Fstatus between `id=1 AND 1=1` and `id=1 AND 1=2`.\n*   **Error-based**: Inject `OR 1=1` or syntax errors (like `extractvalue()`) to see if the plugin returns `$wpdb->last_error` in the response.\n*   **AJAX Endpoint**: If REST routes are not vulnerable, check `admin-ajax.php` for registered actions:\n    *   `grep -r \"wp_ajax_nelio\" .`\n    *   Test actions like `nelio_get_stats` or `nelio_load_experiment`.","The Nelio AB Testing plugin for WordPress is vulnerable to SQL Injection in versions up to 8.2.4 due to the direct inclusion of user-supplied parameters in database queries without sufficient preparation or escaping. Authenticated attackers with Editor-level access can exploit this to extract sensitive data, including administrator password hashes, from the site's database.","1. Authenticate to the WordPress target as a user with Editor-level privileges or higher.\n2. Navigate to the Nelio A\u002FB Testing dashboard and extract the WordPress REST API nonce from the 'wpApiSettings' or 'nelioAbTestingSettings' localized JavaScript objects.\n3. Identify a vulnerable REST API route registered by the plugin (likely under the 'nelio-ab-testing\u002Fv1' namespace), such as '\u002Fwp-json\u002Fnelio-ab-testing\u002Fv1\u002Fstats'.\n4. Send a POST or GET request to the identified endpoint containing a SQL injection payload in a parameter like 'id', 'experiment_id', or 'orderby'.\n5. Use a time-based blind injection payload (e.g., '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)') to confirm the vulnerability by observing response time delays.\n6. Proceed to exfiltrate administrative user hashes or other sensitive database contents using boolean-based or time-based blind SQLi techniques.","gemini-3-flash-preview","2026-04-19 02:34:27","2026-04-19 02:36:11",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","8.2.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags\u002F8.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-ab-testing.8.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-ab-testing\u002Ftags"]