The fixCleanTitle() static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $clean_title and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a crafted title value can inject arbitrary SQL.
File: objects/category.php
Vulnerable code:
public static function fixCleanTitle($clean_title, $count, $id, $original_title = "")
{
global $global;
$sql = "SELECT * FROM categories WHERE clean_name = '{$clean_title}' ";
if (!empty($id)) {
$sql .= " AND id != {$id} ";
}
$sql .= " LIMIT 1";
$res = sqlDAL::readSql($sql, "", [], true);
// ...
}
Both $clean_title (a user-supplied category name after slug conversion) and $id (the category ID being edited) are embedded directly into the SQL string. The $clean_title value derives from user input through the category save workflow — it is the "clean" URL-slug version of whatever category name the user submits. No escaping or parameterization is applied before the value is placed inside single quotes in the query.
An authenticated admin creates or renames a category with the title:
test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -
After slug conversion (which typically only strips spaces and special characters, leaving SQL metacharacters that survive inside single quotes), the backend executes:
SELECT * FROM categories WHERE clean_name = 'test' UNION SELECT username,password,3,4,5,6,7,8,9,10 FROM users-- -' LIMIT 1
This returns rows from the users table, enabling full credential exfiltration. The $id concatenation point is also injectable via a crafted numeric+SQL-suffix value if integer validation is absent.
Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N7.1/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N