SQL Injection in the WordPress plugin WP Page Extension (1.1)
WP Page Extension (WordPress.org, version 1.1) WP Page Extension (1.1) hooks every post-save with no nonce, capability, or autosave check and passes a POST field directly into a SQL statement with no sanitisation. Any authenticated user who can create a post (Contributor and above) can inject SQL and read or modify arbitrary database contents; the missing nonce also makes it CSRF-able. The plugin has been unmaintained since August 2012; no fixed release exists — remove it.
WP Page Extension 1.1 (WordPress.org) contains an authenticated (Contributor+) sql injection. The plugin registers a handler reachable by any authenticated user (Contributor+), and it concatenates a request parameter straight into a live SQL statement.
The handler runs on every post-save with no nonce, capability, or autosave check, and passes a POST field directly into a SQL statement with no sanitisation, integer cast, or prepared statement. The result is a blind/time-based SQL-injection channel through which the full database (user password hashes, secrets) can be extracted.
WP Page Extension was surfaced automatically by the codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification, and then verified by hand against the shipped 1.1 artifact. The plugin has not been updated since 2012-08-29; because no patched release exists, the correct remediation is to remove it.
Class: SQL Injection (CWE-89). Privilege required: a low-privileged (Contributor+) account. Effect: read access to the entire database via blind SQL injection (credential hashes, secrets, tokens); depending on database privileges, write access.
The precise sink locations and code are withheld below until the disclosure deadline.
4:45 UTC
Detected by codelake Research · codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification · disclosed to WordPress Plugin Security Team before publication.
This is a coordinated vulnerability disclosure. The affected package, version and class are published immediately so defenders can act; the exact code location and reproduction are withheld until the deadline, and no weaponised proof-of-concept is published. The archived artifact is available to verified security researchers on request.