{
  "schema_version": "1.6.0",
  "id": "CLR-2026-3031",
  "modified": "2026-07-11T16:30:00Z",
  "published": "2026-07-11T16:30:00Z",
  "summary": "Unauthenticated SQL Injection in the WordPress plugin Auto Listings (2.7.3)",
  "details": "Auto Listings (WordPress.org, version 2.7.3) Auto Listings (2.7.3) hooks the front-end search query and passes the search parameter through sanitize_text_field() — which strips HTML tags but does not escape SQL — directly into a LIKE clause of a live query. An unauthenticated visitor can inject SQL through the listings search and read arbitrary database contents (WordPress user password hashes, secrets). No fixed release is available.",
  "affected": [
    {
      "package": {
        "ecosystem": "WordPress",
        "name": "Auto Listings"
      },
      "versions": [
        "2.7.3"
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://research.codelake.dev/advisories/clr-2026-3031"
    }
  ],
  "credits": [
    {
      "name": "Sascha Klein, codelake Research",
      "type": "FINDER",
      "contact": [
        "https://research.codelake.dev"
      ]
    }
  ],
  "database_specific": {
    "caseId": "CLR-2026-3031",
    "kind": "vuln",
    "class": "SQL Injection (CWE-89)",
    "severity": "Critical",
    "status": "Disclosed",
    "detail_embargoed_until": "2026-08-25",
    "iocs": {
      "ips": [],
      "hashes": [
        "sha256:cd959ced385f5246fea52d261c51314188c4fb5d4d805f61a5cfa54a1e791087"
      ],
      "indicators": [
        "Auto Listings 2.7.3 (WordPress.org) — wordpress.org/plugins/auto-listings",
        "cd959ced385f5246fea52d261c51314188c4fb5d4d805f61a5cfa54a1e791087 (artifact)",
        "CWE-89 SQL Injection · sanitize_text_field() used as an (ineffective) SQL neutraliser",
        "No authentication required · no nonce · no capability check"
      ]
    }
  }
}