CVE-2026-12512
WordPress Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-12512 is an unauthenticated UNION-based SQL injection vulnerability in the Quotes Llama WordPress plugin affecting all versions before 3.1.6. The flaw allows unauthenticated attackers to read arbitrary data from the WordPress database, including password hashes, by exploiting an unsanitized user-supplied parameter (sc) in a SQL query. It was publicly disclosed on 2026-06-24 and assigned a CVSS score of 8.6 (High) (WPScan). The vulnerability was discovered and submitted by Pablo González Pérez, Francisco José Ramírez Vicente, and Iñigo Sánchez Enciso (WPScan). A patch was released in version 3.1.6 (GitHub Advisory).

Detalhes técnicos

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and stems from the plugin's failure to sanitize or escape the sc POST parameter before incorporating it into a SQL query (WPScan). Exploitation is performed via HTTP POST requests to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) using the action=select_search or action=select_search_page handlers. The attack requires two preconditions that represent normal plugin usage: a public page rendering a Quotes Llama shortcode (e.g., [quotes-llama mode=page]) to obtain a nonce value, and at least one quote entry in the plugin's database table. No authentication is required, making this exploitable by any anonymous visitor (WPScan).

Impacto

Successful exploitation allows an unauthenticated attacker to extract arbitrary data from the WordPress database via UNION-based SQL injection, including all WordPress user credentials (usernames and password hashes from wp_users) and any other sensitive data stored in the database (WPScan). Compromised password hashes can be subjected to offline cracking, potentially enabling full administrative access to the WordPress site and further lateral movement. The attack is entirely network-accessible and requires no prior authentication, significantly broadening the exposure surface for any internet-facing WordPress installation running the affected plugin (GitHub Advisory).

Etapas de exploração

  1. Reconnaissance: Identify WordPress sites running the Quotes Llama plugin (versions before 3.1.6) using tools like WPScan, Shodan, or by checking plugin metadata at /wp-content/plugins/quotes-llama/.
  2. Locate a shortcode page: Browse the target site to find a public page rendering the [quotes-llama mode=page] shortcode, which exposes the quotes_llama_nonce value in the HTML source.
  3. Extract the nonce: Read the nonce value from the page HTML (e.g., nonce="abc123") — this is required for the AJAX request.
  4. Verify injection (predicate test): Send a POST request to /wp-admin/admin-ajax.php with action=select_search, search_form=1, nonce=<extracted_nonce>, term=NO_SUCH_501510, and sc=quote OR 1=1#. A returned quote confirms the sc parameter is injected as raw SQL.
  5. Extract credentials (UNION attack): Send the following request to dump all WordPress user logins and password hashes:
curl -sk "https://TARGET/wp-admin/admin-ajax.php" -X POST \
  --data-urlencode "action=select_search" --data-urlencode "search_form=1" \
  --data-urlencode "nonce=<extracted_nonce>" --data-urlencode "term=NO_SUCH_501510" \
  --data-urlencode "sc=quote LIKE 0 UNION SELECT user_login,NULL,NULL,NULL,user_pass,NULL,NULL,NULL,NULL FROM wp_users#" \
  --data-urlencode "target=quotes-llama-search"
  1. Crack hashes: Use offline tools (e.g., Hashcat, John the Ripper) against the extracted WordPress password hashes ($P$B... or $wp$2y$...) to recover plaintext passwords.
  2. Achieve full access: Use recovered admin credentials to log into the WordPress dashboard and gain complete site control (WPScan).

Indicadores de compromisso

  • Network: Unusual HTTP POST requests to /wp-admin/admin-ajax.php with action=select_search or action=select_search_page parameters containing SQL keywords such as UNION, SELECT, OR 1=1, or # in the sc field.
  • Logs: WordPress or web server access logs showing repeated POST requests to admin-ajax.php from the same IP with varying sc parameter values; requests with URL-encoded SQL syntax (e.g., %20UNION%20SELECT).
  • Logs: Database query logs (if enabled) showing unexpected UNION SELECT queries against wp_users or other sensitive tables originating from the plugin's query context.
  • Behavioral: A high volume of AJAX requests to admin-ajax.php from unauthenticated sessions, particularly with search_form=1 or search_for_quote=1 parameters (WPScan).

Mitigação e soluções alternativas

The primary remediation is to update the Quotes Llama WordPress plugin to version 3.1.6 or later, which includes proper sanitization and escaping of the affected parameter (WPScan, GitHub Advisory). If an immediate update is not possible, consider disabling the plugin until the patch can be applied. As additional mitigations, deploy a Web Application Firewall (WAF) with rules to block SQL injection patterns in POST parameters, restrict access to wp-admin/admin-ajax.php by IP where feasible, and review database access logs for signs of prior exploitation. After patching, consider resetting WordPress user passwords as a precaution if exploitation cannot be ruled out.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado WordPress Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-12512HIGH8.6
  • quotes-llama
NãoSimJul 15, 2026
CVE-2026-12281HIGH8.1
  • shibboleth
NãoSimJul 15, 2026
CVE-2026-12997HIGH7.5
  • gravityforms
NãoSimJul 15, 2026
CVE-2026-11580MEDIUM5.5
  • kali-forms
NãoSimJul 15, 2026
CVE-2026-11579MEDIUM5.3
  • kali-forms
NãoSimJul 15, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades