CVE-2023-26325
Description
Authenticated SQL injection in ReviewX WordPress Plugin through the 'rx_export_review' action, allowing attackers with access rights to extract database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in ReviewX WordPress Plugin through the 'rx_export_review' action, allowing attackers with access rights to extract database contents.
Vulnerability
The ReviewX WordPress Plugin is vulnerable to an authenticated SQL injection in the rx_export_review action. The issue resides in the improper sanitization of the filterValue and selectedColumns parameters before they are used in SQL queries. This affects versions as disclosed in the Tenable research advisory [1].
Exploitation
An attacker must have authenticated access to the WordPress admin area where the rx_export_review action is available. The attacker can then craft a malicious request with specially crafted values in filterValue or selectedColumns parameters to inject arbitrary SQL commands. The plugin does not validate or escape these inputs, enabling the injection [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries against the WordPress database. This can lead to disclosure of sensitive data, including user credentials, private posts, and other stored information. The attacker may also be able to modify or delete database content depending on database permissions [1].
Mitigation
As of the publication date (2023-02-23), no official patched version has been disclosed in the available references. Administrators should monitor the plugin's official update channel for a fix and, in the meantime, restrict access to the rx_export_review action to trusted users only [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/ReviewXdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the 'filterValue' and 'selectedColumns' parameters in the rx_export_review action allows attacker-controlled values to be interpolated directly into a SQL statement."
Attack vector
An authenticated attacker (any role, including subscriber) sends a POST request to /wp-admin/admin-ajax.php with action=rx_export_review and malicious values in the filterValue or selectedColumns parameters [ref_id=1]. The plugin does not escape these parameters before using them in a SQL statement, enabling time-based blind SQL injection [ref_id=1]. The proof of concept demonstrates injecting a SLEEP(5) payload into filterValue[7] to confirm the injection [ref_id=1].
Affected code
The advisory does not specify the exact file or function name for the ReviewX plugin [ref_id=1]. The vulnerability exists in the code handling the 'rx_export_review' AJAX action, where the 'filterValue' and 'selectedColumns' parameters are used unsanitized in a SQL statement [ref_id=1].
What the fix does
No patch is shown in the bundle. The advisory states that versions <= 1.6.6 are affected [ref_id=1]. The remediation would require the plugin to properly escape or parameterize the 'filterValue' and 'selectedColumns' parameters before they are used in SQL queries, preventing attacker-controlled input from altering the query structure.
Preconditions
- authAttacker must be authenticated to WordPress (any role, including subscriber).
- networkAttacker must be able to send HTTP POST requests to the WordPress admin-ajax.php endpoint.
- inputAttacker must supply crafted values in the filterValue or selectedColumns POST parameters.
Reproduction
curl "http://$TARGET_HOST/wp-admin/admin-ajax.php" --header "$WP_COOKIE" --data "action=rx_export_review&filterValue[0]=&filterValue[1]=&filterValue[2]=&filterValue[3]=&filterValue[4]=all&filterValue[5]=&filterValue[6]=aaaa&filterValue[7]=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&filterValue[8]=desc&selectedColumns[0]=id" [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.