VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2022· Updated Apr 14, 2025

Modern Tribe Panel Builder Plugin SearchFilter.php add_post_content_filtered_to_search_sql sql injection

CVE-2020-36626

Description

SQL injection in Modern Tribe Panel Builder Plugin's search filter function allows remote attackers to execute arbitrary SQL queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Modern Tribe Panel Builder Plugin's search filter function allows remote attackers to execute arbitrary SQL queries.

Vulnerability

The Modern Tribe Panel Builder Plugin contains an SQL injection vulnerability in the add_post_content_filtered_to_search_sql function within ModularContent/SearchFilter.php. The function fails to properly sanitize user input used in a SQL LIKE clause, allowing an attacker to inject arbitrary SQL. All versions prior to the commit 4528d4f855dbbf24e9fc12a162fda84ce3bedc2f are affected.

Exploitation

The vulnerability can be triggered remotely without authentication [1]. An attacker can send a crafted search request containing malicious SQL payloads in the search filter. The exploit has been publicly disclosed and may be used to automate attacks.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database, leading to unauthorized data access, modification, or deletion. This can compromise the confidentiality, integrity, and availability of the application data.

Mitigation

The issue is fixed in commit 4528d4f855dbbf24e9fc12a162fda84ce3bedc2f [2]. Users should apply the patch or update to a version containing this fix. The repository has been archived and is no longer actively maintained, so users may need to manually apply the patch or migrate to an alternative solution.

References
  1. Fix search XSS by defunctl · Pull Request #173 · moderntribe/panel-builder
  2. Merge pull request #173 from moderntribe/security/fix-search-xss · moderntribe/panel-builder@4528d4f

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

1
4528d4f855db

Merge pull request #173 from moderntribe/security/fix-search-xss

https://github.com/moderntribe/panel-builderJustinMay 8, 2020via osv
commitPR #173
1 file changed · +3 3
  • ModularContent/SearchFilter.php+3 3 modified
    @@ -34,8 +34,8 @@ public function add_post_content_filtered_to_search_sql( $sql, $query ) {
 		if ( $query->get( 'panel_search_filter' ) ) {
 			global $wpdb;
 			remove_filter( 'posts_search', array( $this, 'add_post_content_filtered_to_search_sql' ), 1000, 2 );
-			
-			$pattern = "#OR \($wpdb->posts.post_content LIKE '(.*?)'\)#";
+
+			$pattern = "#OR \($wpdb->posts.post_content LIKE '{(.*?)}'\)#";
 			$sql = preg_replace_callback( $pattern, array( $this, 'replace_callback' ), $sql );
 		}
 		return $sql;
@@ -54,4 +54,4 @@ private function replace_callback( $matches ) {
 		$post_content_filtered = str_replace( $wpdb->posts.'.post_content', $wpdb->posts.'.post_content_filtered', $post_content );
 		return $post_content.' '.$post_content_filtered;
 	}
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.