{
  "schema_version": "1.6.0",
  "id": "CLR-2026-3032",
  "modified": "2026-07-11T17:30:00Z",
  "published": "2026-07-11T17:30:00Z",
  "summary": "Unauthenticated SQL Injection in the WordPress plugin Admin Note (1.1)",
  "details": "Admin Note (WordPress.org, version 1.1) Admin Note (1.1) ships a directly-accessible PHP file that bootstraps WordPress itself and runs a POST search parameter into a LIKE clause with no authentication, nonce, or sanitisation. An unauthenticated request can inject SQL and read arbitrary database contents (WordPress user password hashes, secrets). A second, admin-only variant concatenates a GET parameter into another query. The plugin has been unmaintained since 2014; no fixed release exists — remove it.",
  "affected": [
    {
      "package": {
        "ecosystem": "WordPress",
        "name": "Admin Note"
      },
      "versions": [
        "1.1"
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://research.codelake.dev/advisories/clr-2026-3032"
    }
  ],
  "credits": [
    {
      "name": "Sascha Klein, codelake Research",
      "type": "FINDER",
      "contact": [
        "https://research.codelake.dev"
      ]
    }
  ],
  "database_specific": {
    "caseId": "CLR-2026-3032",
    "kind": "vuln",
    "class": "SQL Injection (CWE-89)",
    "severity": "Critical",
    "status": "Disclosed",
    "detail_embargoed_until": "2026-08-25",
    "iocs": {
      "ips": [],
      "hashes": [
        "sha256:07e2d10b17826776d5c759e08f5f3a73d3f8ca07af3a38d13d3132bcbe354e94"
      ],
      "indicators": [
        "Admin Note 1.1 (WordPress.org) — wordpress.org/plugins/admin-note",
        "07e2d10b17826776d5c759e08f5f3a73d3f8ca07af3a38d13d3132bcbe354e94 (artifact)",
        "CWE-89 SQL Injection · sanitize_text_field() used as an (ineffective) SQL neutraliser",
        "No authentication required · no nonce · no capability check"
      ]
    }
  }
}