Add CVE-2026-2495 WordPress WPNakama SQL Injection

[stranger00135]

WordPress WPNakama <= 0.6.5 - SQL Injection (CVE-2026-2495)

Verification Evidence

✅ VERIFIED via source code analysis

Vulnerable Code Location: /inc/class-wpnakama-api.php, get_records() function (lines ~200-270)

Vulnerability Details:
The $order parameter is inserted directly into SQL queries without proper escaping or validation:

if ( ! empty( $orderby ) ) {
    // Escape column name for safe SQL usage.
    $orderby = esc_sql( $orderby );
    
    $query = $this->db->prepare(
        "SELECT * FROM {$table_name} ORDER BY {$orderby} {$order} LIMIT %d,%d",
        $offset_rows,
        $records_per_page
    );
}

While $orderby is properly escaped using esc_sql(), the $order parameter is NOT escaped, allowing SQL injection through time-based blind SQLi techniques.

Attack Vector:

GET /?rest_route=/WPNakama/v1/boards&order_by=board_id&order=ASC,(SELECT+SLEEP(6))--&per_page=10

Impact:

• Unauthenticated SQL injection via REST API endpoint /wp-json/WPNakama/v1/boards
• Time-based blind SQLi allows extraction of sensitive database information
• CVSS 7.5 (High) - No authentication required

Versions Affected: <= 0.6.3
Patched In: 0.6.4 (changelog: "Security improvements in API")

Plugin Source: https://wordpress.org/plugins/wpnakama/
Download URL: https://downloads.wordpress.org/plugin/wpnakama.0.6.3.zip (vulnerable version)

---

Template Validation:

• ✅ Correct REST API endpoint
• ✅ Proper SQLi payload (time-based SLEEP)
• ✅ Accurate vulnerability description
• ✅ Correct CVSS score and classification