{
  "schema_version": "1.6.0",
  "id": "CLR-2026-3029",
  "modified": "2026-07-11T13:00:00Z",
  "published": "2026-07-11T13:00:00Z",
  "summary": "Unauthenticated SQL Injection in the WordPress plugin Voting for a photo (1.2)",
  "details": "Voting for a photo (WordPress.org, version 1.2) Voting for a photo (1.2) registers a public, unauthenticated admin-ajax.php action whose handler concatenates a POST parameter directly into a SQL query with no sanitisation, integer cast, or prepared statement. An unauthenticated visitor can inject SQL and read arbitrary database contents (WordPress user password hashes, secrets). The plugin has been unmaintained since December 2018; no fixed release exists — remove it.",
  "affected": [
    {
      "package": {
        "ecosystem": "WordPress",
        "name": "Voting for a photo"
      },
      "versions": [
        "1.2"
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://research.codelake.dev/advisories/clr-2026-3029"
    }
  ],
  "credits": [
    {
      "name": "Sascha Klein, codelake Research",
      "type": "FINDER",
      "contact": [
        "https://research.codelake.dev"
      ]
    }
  ],
  "database_specific": {
    "caseId": "CLR-2026-3029",
    "kind": "vuln",
    "class": "SQL Injection (CWE-89)",
    "severity": "Critical",
    "status": "Disclosed",
    "detail_embargoed_until": "2026-08-25",
    "iocs": {
      "ips": [],
      "hashes": [
        "sha256:61d8da69c8ad4a7a9f7be6a920da9be9c564e066512ba63e76e6c0845b7098e0"
      ],
      "indicators": [
        "Voting for a photo 1.2 (WordPress.org) — wordpress.org/plugins/voting-for-a-photo",
        "61d8da69c8ad4a7a9f7be6a920da9be9c564e066512ba63e76e6c0845b7098e0 (artifact)",
        "CWE-89 SQL Injection · sanitize_text_field() used as an (ineffective) SQL neutraliser",
        "No authentication required · no nonce · no capability check"
      ]
    }
  }
}