{
  "schema_version": "1.6.0",
  "id": "CLR-2026-3030",
  "modified": "2026-07-11T14:45:00Z",
  "published": "2026-07-11T14:45:00Z",
  "summary": "SQL Injection in the WordPress plugin WP Page Extension (1.1)",
  "details": "WP Page Extension (WordPress.org, version 1.1) WP Page Extension (1.1) hooks every post-save with no nonce, capability, or autosave check and passes a POST field directly into a SQL statement with no sanitisation. Any authenticated user who can create a post (Contributor and above) can inject SQL and read or modify arbitrary database contents; the missing nonce also makes it CSRF-able. The plugin has been unmaintained since August 2012; no fixed release exists — remove it.",
  "affected": [
    {
      "package": {
        "ecosystem": "WordPress",
        "name": "WP Page Extension"
      },
      "versions": [
        "1.1"
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://research.codelake.dev/advisories/clr-2026-3030"
    }
  ],
  "credits": [
    {
      "name": "Sascha Klein, codelake Research",
      "type": "FINDER",
      "contact": [
        "https://research.codelake.dev"
      ]
    }
  ],
  "database_specific": {
    "caseId": "CLR-2026-3030",
    "kind": "vuln",
    "class": "SQL Injection (CWE-89)",
    "severity": "High",
    "status": "Disclosed",
    "detail_embargoed_until": "2026-08-25",
    "iocs": {
      "ips": [],
      "hashes": [
        "sha256:39bf0862e643109c0251bddcc53501af143618465f64dff58f059c12d0866dcf"
      ],
      "indicators": [
        "WP Page Extension 1.1 (WordPress.org) — wordpress.org/plugins/wp-page-extension",
        "39bf0862e643109c0251bddcc53501af143618465f64dff58f059c12d0866dcf (artifact)",
        "CWE-89 SQL Injection · sanitize_text_field() used as an (ineffective) SQL neutraliser",
        "Any logged-in user (Contributor+) · no nonce · no capability check"
      ]
    }
  }
}