The Hackers Diet Plugin HTTP POST Request ajax_blurb.php sql injection
Description
A vulnerability, which was classified as critical, has been found in The Hackers Diet Plugin up to 0.9.6b on WordPress. This issue affects some unknown processing of the file ajax_blurb.php of the component HTTP POST Request Handler. The manipulation of the argument user leads to sql injection. The attack may be initiated remotely. Upgrading to version 0.9.7b is able to address this issue. The patch is named 7dd8acf7cd8442609840037121074425d363b694. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-243803.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/The Hackers Diet Plugindescription
- Range: <=0.9.6b
Patches
Vulnerability mechanics
Root cause
"Missing input validation on the 'user' parameter allows direct SQL injection in multiple plugin files."
Attack vector
An attacker sends a crafted HTTP POST request to `ajax_blurb.php` (or a GET request to `hackersdiet_chart.php`) with a malicious `user` parameter containing SQL metacharacters. Because the input was directly concatenated into SQL queries without validation or parameterization, the attacker can inject arbitrary SQL commands. The attack is remotely exploitable over the network with no authentication required, as the vulnerable files are publicly accessible WordPress plugin endpoints [ref_id=1].
Affected code
The vulnerability exists in `ajax_blurb.php` (and similarly `ajax_togo.php` and `hackersdiet_chart.php`) where the `user` parameter from HTTP POST/GET requests was directly interpolated into SQL queries without sanitization. In `ajax_blurb.php`, the line `$user_id = $_POST["user"];` assigned unsanitized user input to a variable later used in database queries. The same pattern appears in `hackersdiet_chart.php` where `$_GET["user"]` and `$_GET["weeks"]` were used directly in SQL strings.
What the fix does
The patch adds an `is_numeric()` guard before using the `user` parameter in `ajax_blurb.php`, `ajax_togo.php`, and `hackersdiet_chart.php` — if the value is not numeric the script exits immediately [patch_id=2243704]. Additionally, in `hackersdiet_chart.php` the `user_id` variable is now wrapped in double quotes within the SQL query string, providing a secondary defense. The commit message confirms these changes address "SQL injection holes for chart" [ref_id=1]. No other remediation steps are documented beyond upgrading to version 0.9.7b.
Preconditions
- configThe vulnerable plugin (The Hackers Diet up to 0.9.6b) must be installed and active on a WordPress site
- networkAttacker must be able to send HTTP POST requests to ajax_blurb.php or HTTP GET requests to hackersdiet_chart.php
- authNo authentication is required; the vulnerable endpoints are publicly accessible
- inputThe 'user' parameter must contain SQL metacharacters to exploit the injection
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/wp-plugins/the-hackers-diet/commit/7dd8acf7cd8442609840037121074425d363b694mitrepatch
- github.com/wp-plugins/the-hackers-diet/releases/tag/0.9.7bmitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.