⛔ Critical Security Advisory Admin Note · WordPress.org · 1.1 Disclosed 2026-07-11 · 17:30 UTC
Coordinated disclosure — technical detail withheld until 2026-08-25 (45 days). The affected package, version, vulnerability class and remediation are public on this page so defenders can act now. The exact code location, sink and reproduction are held back to limit exploitation until the window closes, then revealed automatically. Vendor notified 2026-07-11.
Advisory · CLR-2026-3032

Unauthenticated SQL Injection in the WordPress plugin Admin Note (1.1)

Admin Note (WordPress.org, version 1.1) Admin Note (1.1) ships a directly-accessible PHP file that bootstraps WordPress itself and runs a POST search parameter into a LIKE clause with no authentication, nonce, or sanitisation. An unauthenticated request can inject SQL and read arbitrary database contents (WordPress user password hashes, secrets). A second, admin-only variant concatenates a GET parameter into another query. The plugin has been unmaintained since 2014; no fixed release exists — remove it.

CriticalSQL InjectionUnauthenticatedWordPressVerified in source
Summary

Admin Note 1.1 (WordPress.org) contains an unauthenticated sql injection. The plugin registers a handler reachable by visitors who are not logged in, and it concatenates a request parameter straight into a live SQL statement.

A plugin file is directly web-accessible and bootstraps WordPress itself, then runs a POST search parameter straight into a LIKE clause with no authentication, nonce, or SQL escaping, so an unauthenticated request reaches the database unescaped. The result is a blind/time-based SQL-injection channel through which the full database (user password hashes, secrets) can be extracted.

Admin Note was surfaced automatically by the codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification, and then verified by hand against the shipped 1.1 artifact. The plugin has not been updated since 2014-01-23; because no patched release exists, the correct remediation is to remove it.

Impact

Class: SQL Injection (CWE-89). Privilege required: none — the injectable endpoint is registered for logged-out visitors. Effect: read access to the entire database via blind SQL injection (credential hashes, secrets, tokens); depending on database privileges, write access.

A second variant with the same flaw exists in the same file. The precise locations and code are withheld below until the disclosure deadline.

Vulnerable code
🔒
Technical detail withheld until 2026-08-25 (45 days). The affected package, version, vulnerability class and remediation are public on this page. The exact code location, sink and reproduction are held back to limit exploitation while the issue is unpatched, and are revealed automatically once the coordinated-disclosure window closes.
Technical detail
🔒
Technical detail withheld until 2026-08-25 (45 days). The affected package, version, vulnerability class and remediation are public on this page. The exact code location, sink and reproduction are held back to limit exploitation while the issue is unpatched, and are revealed automatically once the coordinated-disclosure window closes.
Timeline
Published
Admin Note listed on WordPress.org; last updated 2014-01-23, unmaintained since.
2026-07-11
Automatic detection
codelake WordPress static-analysis pipeline (source-to-sink taint) flags a request-to-database taint flow with no prepared statement; AI-triage marks it a real finding.
2026-07-11
Manual verification
Confirmed against the shipped 1.1 artifact — unauthenticated reachability verified in source.
2026-07-11
7:30 UTC
WordPress Plugin Security Team notified
Coordinated disclosure opened with full technical detail; a 45-day window begins.
2026-08-25
Technical-detail reveal
The exact code location and reproduction are published automatically after the 45-day window.
Indicators & characteristics
PKGAdmin Note 1.1 (WordPress.org) — wordpress.org/plugins/admin-note
SHA25607e2d10b17826776d5c759e08f5f3a73d3f8ca07af3a38d13d3132bcbe354e94 (artifact)
CLASSCWE-89 SQL Injection · sanitize_text_field() used as an (ineffective) SQL neutraliser
AUTHZNo authentication required · no nonce · no capability check
🔒SINK — withheld until 2026-08-25
🔒ENTRY — withheld until 2026-08-25
Remediation
#ActionPriority
01 Deactivate and delete Admin Note. No patched release exists and it is abandoned; sites should not run version 1.1. Critical
02 Patch: replace every concatenated query with $wpdb->prepare() and typed placeholders (%d/%s). High
03 Add nonce + capability checks (check_ajax_referer(), current_user_can()) to state-changing AJAX handlers and remove any unintended nopriv registration. High
04 Check access logs for requests with SQL metacharacters in parameters during the exposure window. Recommended

Detected by codelake Research · codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification · disclosed to WordPress Plugin Security Team before publication.

This is a coordinated vulnerability disclosure. The affected package, version and class are published immediately so defenders can act; the exact code location and reproduction are withheld until the deadline, and no weaponised proof-of-concept is published. The archived artifact is available to verified security researchers on request.