[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4aESdU_vm97akAZuQZegtOxzGjY-g5KCCJEuYPvjIis":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-39479","ottokit-authenticated-administrator-sql-injection","OttoKit \u003C= 1.1.20 - Authenticated (Administrator+) SQL Injection","The OttoKit plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","suretriggers",null,"\u003C=1.1.20","1.1.21","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-23 00:00:00","2026-04-15 21:23:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd156f277-88cb-43aa-895c-63684aa1466e?source=api-prod",24,[22,23,24,25,26,27,28],"app\u002Fbuild\u002Fmain.asset.php","app\u002Fbuild\u002Fmain.js","changelog.txt","readme.txt","src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php","src\u002FControllers\u002FAuthController.php","src\u002FControllers\u002FGlobalSearchController.php","researched",false,3,"## Vulnerability Summary\nThe OttoKit (suretriggers) plugin for WordPress is vulnerable to an authenticated SQL injection in version 1.1.20 and below. The vulnerability exists in the administrative \"Outgoing Requests\" view, where the `orderby` and `order` parameters are used in a database query without sufficient escaping or proper preparation (specifically using `%s` placeholders in `wpdb->prepare()` for SQL identifiers like column names, or direct concatenation). Since `wpdb->prepare()`'s `%s` placeholder quotes values as strings, it is unsuitable for `ORDER BY` clauses, often leading developers to bypass it with unsafe concatenation.\n\n## Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin.php`\n- **Query Parameters:**\n  - `page=suretriggers-status`\n  - `tab=st_outgoing_requests`\n- **Vulnerable Parameters:** `orderby`, `order`\n- **Authentication:** Administrator+ (High privileges required).\n- **Injection Type:** Time-based Blind SQL Injection or Error-based SQL Injection.\n- **Preconditions:** The plugin must be active. The attacker must be logged in as an administrator.\n\n## Code Flow\n1. **Entry Point:** An administrator navigates to the plugin's status page: `admin.php?page=suretriggers-status&tab=st_outgoing_requests`.\n2. **File Loading:** WordPress loads `src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php`.\n3. **Class Initialization:** The script instantiates `SureTriggersWebhookRequestsTable`, which extends `WP_List_Table`.\n4. **Data Preparation:** The `prepare_items()` method is invoked (line 166).\n5. **Input Capture:** The code retrieves unsanitized (only `sanitize_text_field` filtered) input from `$_REQUEST['orderby']` and `$_REQUEST['order']` (lines 182-184).\n6. **SQL Sink:** The input is used in `$wpdb->get_results()` via a flawed `$wpdb->prepare()` call (line 189).\n   ```php\n   \u002F\u002F src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php\n   $orderby = isset( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : 'id';\n   $order   = isset( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : 'ASC';\n   \u002F\u002F ...\n   $this->items = $wpdb->get_results( $wpdb->prepare( \"SELECT ... FROM $this->table_name $where ORDER BY %s %s LIMIT %d OFFSET %d\", $orderby, $order, $per_page, $offset ), ARRAY_A );\n   ```\n   If `%s` is used, the query becomes `ORDER BY 'column' 'ASC'`, which is invalid SQL. If the vulnerable version instead used concatenation (e.g., `ORDER BY $orderby $order`), the injection is direct.\n\n## Nonce Acquisition Strategy\nWhile the `orderby` and `order` parameters are typically handled via `GET` requests for sorting in `WP_List_Table` and may not require a nonce for simple viewing, the page includes a nonce for bulk actions.\n1. **Navigate to the page:** Use `browser_navigate` to `wp-admin\u002Fadmin.php?page=suretriggers-status&tab=st_outgoing_requests`.\n2. **Extract Nonce:** The nonce is stored in a hidden input field with the name `_wpnonce`.\n3. **Action String:** The nonce is created using `wp_create_nonce( 'suretriggers_requests_nonce_action' )`.\n4. **Variable extraction:** Use `browser_eval` to get the value: `document.querySelector('input[name=\"_wpnonce\"]').value`.\n\n## Exploitation Strategy\nWe will use a time-based blind SQL injection payload via the `orderby` parameter.\n\n### 1. Confirm Vulnerability (Time-based)\n- **Request Method:** GET\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php`\n- **Parameters:**\n  - `page`: `suretriggers-status`\n  - `tab`: `","The OttoKit plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters on the administrative 'Outgoing Requests' page. Authenticated administrators can exploit this by injecting malicious SQL commands into sorting clauses, allowing for the extraction of sensitive information from the database using time-based blind injection techniques.","\u002F\u002F src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php lines 182-184\n$status_filter = isset( $_REQUEST['status_filter'] ) ? sanitize_text_field( $_REQUEST['status_filter'] ) : '';\n$orderby       = isset( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : 'id';\n$order         = isset( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : 'ASC';\n\n---\n\n\u002F\u002F src\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php line 189\n$this->items = $wpdb->get_results( $wpdb->prepare( \"SELECT id, response_code, request_data, status, error_info, created_at FROM $this->table_name $where ORDER BY %s %s LIMIT %d OFFSET %d\", $orderby, $order, $per_page, $offset ), ARRAY_A );","--- a\u002Fsrc\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php\n+++ b\u002Fsrc\u002FAdmin\u002FViews\u002Fst-admin-outgoing-req-page.php\n@@ -181,8 +181,18 @@\n \t\t}\n \n \t\t$status_filter = isset( $_REQUEST['status_filter'] ) ? sanitize_text_field( $_REQUEST['status_filter'] ) : '';\n-\t\t$orderby       = isset( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : 'id';\n-\t\t$order         = isset( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : 'ASC';\n+\n+\t\t\u002F\u002F Define allowed sortable columns to prevent SQL injection.\n+\t\t$allowed_orderby = array( 'id', 'created_at', 'status', 'response_code' );\n+\t\t$orderby         = ( isset( $_REQUEST['orderby'] ) && in_array( $_REQUEST['orderby'], $allowed_orderby ) ) ? $_REQUEST['orderby'] : 'id';\n+\n+\t\t\u002F\u002F Define allowed order directions.\n+\t\t$order = 'ASC';\n+\t\tif ( isset( $_REQUEST['order'] ) ) {\n+\t\t\t$order = ( 'DESC' === strtoupper( $_REQUEST['order'] ) ) ? 'DESC' : 'ASC';\n+\t\t}\n+\n \t\t$per_page      = $this->get_items_per_page( 'webhook_requests_per_page', 10 );\n \t\t$current_page  = $this->get_pagenum();\n \n@@ -193,7 +203,7 @@\n \n \t\t$offset = ( $current_page - 1 ) * $per_page;\n \n-\t\t$this->items = $wpdb->get_results( $wpdb->prepare( \"SELECT id, response_code, request_data, status, error_info, created_at FROM $this->table_name $where ORDER BY %s %s LIMIT %d OFFSET %d\", $orderby, $order, $per_page, $offset ), ARRAY_A );  \u002F\u002Fphpcs:ignore\n+\t\t$this->items = $wpdb->get_results( $wpdb->prepare( \"SELECT id, response_code, request_data, status, error_info, created_at FROM $this->table_name $where ORDER BY $orderby $order LIMIT %d OFFSET %d\", $per_page, $offset ), ARRAY_A );  \u002F\u002Fphpcs:ignore\n \n \t\t$total_items = $wpdb->get_var( \"SELECT COUNT(*) FROM {$this->table_name} $where\" );  \u002F\u002Fphpcs:ignore","The exploit target is the administrative 'Outgoing Requests' view accessible via 'wp-admin\u002Fadmin.php?page=suretriggers-status&tab=st_outgoing_requests'. An attacker requires Administrator-level privileges to access this page. The vulnerability is triggered by a GET or POST request containing a malicious payload in the 'orderby' parameter. Because the server uses user-supplied input directly in the ORDER BY clause of a database query, an attacker can append SQL logic. For example, a time-based blind SQL injection can be achieved by using a payload like '(CASE WHEN (1=1) THEN SLEEP(5) ELSE id END)'. If the database is vulnerable, the server response will be delayed by the sleep duration, confirming the injection point.","gemini-3-flash-preview","2026-04-18 00:06:49","2026-04-18 00:07:55",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.1.20","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags\u002F1.1.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsuretriggers.1.1.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags\u002F1.1.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsuretriggers.1.1.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsuretriggers\u002Ftags"]