Unauthenticated SQL Injection in the WordPress plugin Admin Note (1.1)
Admin Note (WordPress.org, version 1.1) Admin Note (1.1) ships a directly-accessible PHP file that bootstraps WordPress itself and runs a POST search parameter into a LIKE clause with no authentication, nonce, or sanitisation. An unauthenticated request can inject SQL and read arbitrary database contents (WordPress user password hashes, secrets). A second, admin-only variant concatenates a GET parameter into another query. The plugin has been unmaintained since 2014; no fixed release exists — remove it.
Admin Note 1.1 (WordPress.org) contains an unauthenticated sql injection. The plugin registers a handler reachable by visitors who are not logged in, and it concatenates a request parameter straight into a live SQL statement.
A plugin file is directly web-accessible and bootstraps WordPress itself, then runs a POST search parameter straight into a LIKE clause with no authentication, nonce, or SQL escaping, so an unauthenticated request reaches the database unescaped. The result is a blind/time-based SQL-injection channel through which the full database (user password hashes, secrets) can be extracted.
Admin Note was surfaced automatically by the codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification, and then verified by hand against the shipped 1.1 artifact. The plugin has not been updated since 2014-01-23; because no patched release exists, the correct remediation is to remove it.
Class: SQL Injection (CWE-89). Privilege required: none — the injectable endpoint is registered for logged-out visitors. Effect: read access to the entire database via blind SQL injection (credential hashes, secrets, tokens); depending on database privileges, write access.
A second variant with the same flaw exists in the same file. The precise locations and code are withheld below until the disclosure deadline.
7:30 UTC
Detected by codelake Research · codelake WordPress static-analysis pipeline (source-to-sink taint) · AI false-positive triage · manual source verification · disclosed to WordPress Plugin Security Team before publication.
This is a coordinated vulnerability disclosure. The affected package, version and class are published immediately so defenders can act; the exact code location and reproduction are withheld until the deadline, and no weaponised proof-of-concept is published. The archived artifact is available to verified security researchers on request.