[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f___wJR8Xiwdzp9M8h9wXi52GZbpc97BZ-kN3GHEMa0M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-7472","read-more-accordion-authenticated-administrator-sql-injection-via-orderby-parameter","Read More & Accordion \u003C= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter","The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated—unquoted—into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes.","expand-maker",null,"\u003C=3.5.7","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-19 12:12:45","2026-05-20 01:25:54",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcc7c7e21-fbd7-4451-bc7d-3d11db01a443?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-7472\n\n## 1. Vulnerability Summary\nThe **Read More & Accordion** plugin (version \u003C= 3.5.7) is vulnerable to a **Time-Based Blind SQL Injection** via the `orderby` GET parameter. The vulnerability exists because the plugin directly concatenates the user-supplied `orderby` value into an SQL `ORDER BY` clause within the `getAllDataByLimit()` and `getAccordionAllDataByLimit()` functions (located in `ReadMoreData.php`). \n\nWhile the value is processed by `esc_attr()` and `esc_sql()`, the lack of surrounding quotes in the `ORDER BY` fragment renders `esc_sql()` ineffective. `esc_sql()` primarily escapes quotes and backslashes, which are not required for an attacker to inject subqueries or conditional logic into an unquoted `ORDER BY` context. This allows an authenticated attacker (Administrator level or any user with the `yrm-user-roles` capability) to extract sensitive data, such as password hashes, by monitoring the server's response time.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php`\n*   **Plugin Admin Page:** Likely `?page=expand_maker_read_more` or `?page=expand_maker_accordion` (inferred from slug `expand-maker`).\n*   **Vulnerable Parameter:** `orderby` (via `$_GET`)\n*   **Authentication Required:** Administrator-level access (default) or any role permitted via the plugin's `yrm-user-roles` setting.\n*   **Preconditions:** At least one \"Read More\" or \"Accordion\" entry must exist in the database so that the vulnerable functions (`getAllDataByLimit` or `getAccordionAllDataByLimit`) are called to populate the admin list view.\n\n## 3. Code Flow\n1.  An administrator navigates to the plugin's data list view in the WordPress dashboard.\n2.  The controller for the admin page calls either `ReadMoreData::getAllDataByLimit()` or `ReadMoreData::getAccordionAllDataByLimit()`.\n3.  The `orderby` parameter is retrieved from `$_GET['orderby']`.\n4.  The value is passed through `esc_attr()`.\n5.  Inside `ReadMoreData.php`:\n    *   The code snippet resembles: `$order_by = esc_sql( $_GET['orderby'] );`\n    *   The SQL query is constructed: `$query = \"SELECT * FROM {$wpdb->prefix}table ORDER BY $order_by $order LIMIT $offset, $limit\";`\n    *   Because `$order_by` is not wrapped in quotes (e.g., `ORDER BY '$order_by'`), `esc_sql` does not prevent the injection of keywords or subqueries.\n6.  `$wpdb->get_results()` executes the query.\n\n## 4. Nonce Acquisition Strategy\nWhile this is an `admin.php` page, standard WordPress admin list tables often use nonces for actions (delete, edit), but simple sorting (`orderby`) often does **not** require a specific nonce in the GET request.\n\nHowever, to ensure authentication:\n1.  **Login:** Use `wp-cli` or `http_request` to authenticate as an administrator.\n2.  **Navigation:** Use `browser_navigate` to `wp-admin\u002Fadmin.php?page=expand_maker_read_more`.\n3.  **Extraction:** If the plugin requires a nonce for this specific view, the execution agent should use `browser_eval`:\n    *   Check for localized scripts: `browser_eval(\"window.yrm_read_more_vars?.nonce\")` or similar (inferred).\n    *   Since this is a GET-based injection in the admin panel, the primary requirement is the **session cookie**.\n\n## 5. Exploitation Strategy\nThe goal is to perform a time-based blind injection to confirm the vulnerability.\n\n### Step 1: Confirmation (Time Delay)\nSend a request that triggers a 5-second delay.\n*   **Method:** GET\n*   **URL:** `wp-admin\u002Fadmin.php?page=expand_maker_read_more&orderby=(SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n*   **Alternative Payload (Conditional):** `wp-admin\u002Fadmin.php?page=expand_maker_read_more&orderby=(CASE WHEN (1=1) THEN id ELSE (SELECT 1 FROM (SELECT(SLEEP(5)))a) END)`\n\n### Step 2: Data Extraction (Admin Hash)\nExtract the first character of the admin user's password hash.\n*   **Payload:** `(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN SLEEP(5) ELSE id END)`\n*   *Note: ASCII 36 is '$', the start of many WordPress hashes.*\n\n### Execution Tool:\nUse the `http_request` tool to send these requests with the appropriate admin cookies.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `expand-maker` (Read More & Accordion) version 3.5.7 is installed.\n2.  **Create Entry:** Use `wp-cli` to create at least one entry so the database query returns results.\n    *   The plugin likely uses a custom table. If unknown, create a \"Read More\" item via the UI using `browser_click` and `browser_type`.\n3.  **Identify Admin Page:** Navigate to the plugin menu to confirm the `page` parameter value (e.g., `expand_maker_read_more`).\n\n## 7. Expected Results\n*   **Normal Request:** Response time \u003C 500ms.\n*   **Attack Request:** Response time > 5000ms (5 seconds).\n*   **Response Content:** The HTML response should still load (though delayed), confirming the query executed successfully.\n\n## 8. Verification Steps\n1.  **Time Delta:** Compare the `request_time` of a standard request vs. the injection request.\n2.  **Database Integrity:** Use `wp db query \"SELECT ...\"` via `wp-cli` to verify that the query used in the payload matches the actual database structure (confirming the table names like `wp_users` are accessible).\n3.  **Logs:** Check `wp-content\u002Fdebug.log` (if `WP_DEBUG` is on) for any SQL syntax errors if the payload needs adjustment.\n\n## 9. Alternative Approaches\n*   **Error-Based:** If `WP_DEBUG` is enabled, try an error-based payload like `(select 1 from (select count(*),concat(0x7e,version(),0x7e,floor(rand(0)*2))x from information_schema.tables group by x)a)`.\n*   **Boolean-Based:** Observe if the list of items is sorted differently when the condition is true vs. false.\n    *   `orderby=IF(1=1, id, title)` vs `orderby=IF(1=2, id, title)`.\n*   **Other Parameters:** Check if the `order` parameter (ASC\u002FDESC) or `limit` parameters are similarly concatenated without sanitization in `ReadMoreData.php`.","The Read More & Accordion plugin for WordPress (\u003C= 3.5.7) is vulnerable to a time-based blind SQL Injection due to the lack of proper sanitization and quoting for the 'orderby' parameter. An authenticated attacker with administrative privileges can inject SQL subqueries to extract sensitive database information, such as password hashes, by monitoring server response delays.","\u002F\u002F In ReadMoreData.php inside getAllDataByLimit() or getAccordionAllDataByLimit()\n\n$orderby = isset($_GET['orderby']) ? esc_attr($_GET['orderby']) : 'id';\n\u002F\u002F ...\n$order_by = esc_sql( $orderby );\n\u002F\u002F The variable is concatenated directly into the ORDER BY clause without surrounding quotes\n$query = \"SELECT * FROM {$wpdb->prefix}table_name ORDER BY $order_by $order LIMIT $offset, $limit\";\n$results = $wpdb->get_results($query);","--- a\u002FReadMoreData.php\n+++ b\u002FReadMoreData.php\n@@ -12,7 +12,13 @@\n- $order_by = esc_sql( $_GET['orderby'] );\n+ $allowed_columns = ['id', 'title', 'date', 'status'];\n+ $orderby = isset($_GET['orderby']) ? $_GET['orderby'] : 'id';\n+ if (!in_array($orderby, $allowed_columns)) {\n+     $order_by = 'id';\n+ } else {\n+     $order_by = $orderby;\n+ }\n  $query = $wpdb->prepare(\n-     \"SELECT * FROM {$wpdb->prefix}table ORDER BY $order_by $order LIMIT %d, %d\",\n+     \"SELECT * FROM {$wpdb->prefix}table ORDER BY %1s %1s LIMIT %d, %d\",\n+     $order_by,\n+     $order,\n      $offset,\n      $limit\n  );","The exploit targets the administrative list view for 'Read More' or 'Accordion' items. An attacker must first authenticate as an administrator (or a role granted access via plugin settings). The vulnerability is triggered by sending a GET request to `wp-admin\u002Fadmin.php` with the `page` parameter set to the plugin's menu (e.g., `expand_maker_read_more`) and an `orderby` parameter containing a subquery. A functional payload for confirmation uses a time-delay function, such as `?page=expand_maker_read_more&orderby=(SELECT 1 FROM (SELECT(SLEEP(5)))a)`. If the server response is delayed by 5 seconds, the injection is confirmed. Data extraction is achieved by using conditional logic within the `ORDER BY` clause, such as `CASE WHEN (condition) THEN SLEEP(5) ELSE id END`, to leak information bit-by-bit based on time responses.","gemini-3-flash-preview","2026-05-20 16:46:46","2026-05-20 16:47:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexpand-maker\u002Ftags"]