[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSHQmpfBNgElHTPXR1iindANHcsVyHnTQ1hW4Nxjbh20":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32539","publishpress-revisions-duplicate-posts-submit-approve-and-schedule-content-changes-unauthenticated-sql-injection","PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes \u003C= 3.7.23 - Unauthenticated SQL Injection","The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","revisionary",null,"\u003C=3.7.23","3.7.24","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 00:00:00","2026-03-26 20:49:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9ee14f5f-c558-43d3-8aae-6ea50933759a?source=api-prod",7,[22,23,24,25,26,27,28,29],"CHANGELOG.md","admin\u002Fadmin-posts_rvy.php","admin\u002Fadmin_rvy.php","admin\u002Fclass-list-table-archive.php","admin\u002Fclass-list-table_rvy.php","admin\u002Fhistory_rvy.php","admin\u002Foptions.php","admin\u002Fpost-edit_rvy.php","researched",false,3,"```markdown\n# Exploitation Research Plan: CVE-2026-32539 (PublishPress Revisions SQL Injection)\n\n## 1. Vulnerability Summary\nThe PublishPress Revisions plugin (\u003C= 3.7.23) contains an unauthenticated SQL injection vulnerability. The issue originates from the `Revisionary_Archive_List_Table` and `Revisionary_List_Table` classes (and associated global filters), where user-supplied parameters from `$_REQUEST` are insufficiently sanitized (using `sanitize_text_field` instead of `prepare`) and then concatenated into SQL queries. Specifically, parameters like `origin_post_type` and `s` are used to build a `$base_query` which is then interpolated into further SQL statements. Because the plugin failed to properly enforce capabilities for the Revision Archive and Queue screens in affected versions, these endpoints—and the underlying vulnerable queries—are accessible to unauthenticated attackers.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=revisionary-archive` (The Past Revisions screen).\n- **Vulnerable Parameter**: `origin_post_type` (and potentially `s`).\n- **Authentication**: Unauthenticated (due to improper capability enforcement in version 3.7.23).\n- **Action**: A GET or POST request to the admin page with an SQL injection payload in the `origin_post_type` parameter.\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to `","The PublishPress Revisions plugin for WordPress is vulnerable to unauthenticated SQL injection due to improper preparation of user-supplied parameters like 'origin_post_type' and 's' within the revision archive and queue list tables. Because version 3.7.23 and earlier failed to enforce administrative capabilities for these screens, unauthenticated attackers can extract sensitive database information by sending crafted requests to the plugin's administration endpoints.","\u002F\u002F File: admin\u002Fclass-list-table-archive.php\n\u002F\u002F Lines 530-532\nif( isset( $_REQUEST['origin_post_type'] ) && ! empty( $_REQUEST['origin_post_type'] ) ) { \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n    $args['origin_post_type'] = sanitize_text_field( $_REQUEST['origin_post_type'] ); \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n}\n\n\u002F\u002F Lines 535-545\n$base_query = $this->do_query( $args );\n\n\u002F\u002F phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching\n$results = $wpdb->get_results(\n    $wpdb->prepare(\n        \"{$base_query} LIMIT %d,%d\", \u002F\u002F phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared\n        $offset,\n        $per_page\n    )\n);\n\n\u002F\u002F phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching\n$total_items = $wpdb->get_var(\n    \"SELECT COUNT(*) as total_items FROM ($base_query) as total_items_subquery\" \u002F\u002F phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.23\u002Fadmin\u002Fadmin_rvy.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.24\u002Fadmin\u002Fadmin_rvy.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.23\u002Fadmin\u002Fadmin_rvy.php\t2026-01-08 21:35:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.24\u002Fadmin\u002Fadmin_rvy.php\t2026-02-18 20:55:34.000000000 +0000\n@@ -228,10 +228,11 @@\n \n \t function fltAdminBodyClass($classes) {\n \n+\t\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized\n \t\tif (!empty($_REQUEST['page']) && in_array($_REQUEST['page'], ['revisionary-settings', 'rvy-net_options', 'rvy-default_options', 'revisionary-q', 'revisionary-deletion', 'revisionary-archive'])) {\n \t\t\t$classes .= ' revisionary';\n \t\t\t\n-\t\t\tswitch ($_REQUEST['page']) {\n+\t\t\tswitch ($_REQUEST['page']) {\t\u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n \t\t\t\tcase 'revisionary-archive':\n \t\t\t\t\t$classes .= ' revisionary-archive';\n \t\t\t\t\tbreak;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.23\u002Fadmin\u002Fclass-list-table-archive.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.24\u002Fadmin\u002Fclass-list-table-archive.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.23\u002Fadmin\u002Fclass-list-table-archive.php\t2026-01-08 21:35:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frevisionary\u002F3.7.24\u002Fadmin\u002Fclass-list-table-archive.php\t2026-02-18 20:55:34.000000000 +0000\n@@ -674,12 +674,12 @@\n \n \t\t\t\t\tprintf(\n \t\t\t\t\t\tesc_html__('Edit of %s', 'revisionary'),\n-\t\t\t\t\t\t\"\u003Cspan title='$this->active_revision_title'>\" . $status_label . '\u003C\u002Fspan>'\n+\t\t\t\t\t\t\"\u003Cspan title='\" . esc_attr($this->active_revision_title) . \"'>\" . esc_html($status_label) . '\u003C\u002Fspan>'\n \t\t\t\t\t);\n \n \t\t\t\t} elseif ($this->parent_from_revision_workflow) {\n \t\t\t\t\tprintf(\"\u003Cspan title='%s'>%s\u003C\u002Fspan>\",\n-\t\t\t\t\t\t$this->from_revision_title,\n+\t\t\t\t\t\tesc_html($this->from_revision_title),\n \t\t\t\t\t\tesc_html__('Edit of published Revision', 'revisionary')\n \t\t\t\t\t);\n \t\t\t\t} elseif ($this->direct_edit) {","1. **Identify Vulnerable Endpoint**: Target the Past Revisions screen via `\u002Fwp-admin\u002Fadmin.php?page=revisionary-archive`.\n2. **Verify Accessibility**: Confirm that the page is accessible without authentication (fixed in 3.7.24 by enforcing the `view_revision_archive` capability).\n3. **Inject Payload**: Send a GET or POST request to the endpoint with a SQL injection payload in the `origin_post_type` parameter (e.g., `origin_post_type=post' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`).\n4. **Observe Response**: Use time-based blind injection or boolean-based techniques to infer database contents from the response latency or page output.\n5. **Data Extraction**: Automate the process to dump sensitive information like administrator password hashes or configuration details from the `wp_users` and `wp_options` tables.","gemini-3-flash-preview","2026-04-18 01:34:55","2026-04-18 01:35:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.7.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevisionary\u002Ftags\u002F3.7.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frevisionary.3.7.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevisionary\u002Ftags\u002F3.7.24","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frevisionary.3.7.24.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frevisionary\u002Ftags"]