SQL Injection (SQLi) , a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before it's used in a SQL query. So why does this well-understood vulnerability type continue to exist? In the WordPress space, the WordPress core development team has made a number of database functions available via its API. These functions abstract away all the common use-cases for database queries and intend to do so in a way that prevents SQL injection vulnerabilities from being introduced by the developer. However, creative developers often come up with complex use-cases where these API functions alone are not sufficient to provide functionality that a plugin or theme needs. In other cases, developers are simply not sufficiently familiar with these WordPress core API database functions to use them correctly. In these cases, SQL injection vulnerabilities can still be introduced as evidenced by it being the fourth most common vulnerability disclosed in 2024 in the WordPress ecosystem. Given its continued prevalence, SQL injection presents a compelling target for bug bounty hunters (and threat actors alike). Because database interaction is fundamental to most plugins and themes, the potential attack surface for SQLi is broad. However, these vulnerabilities can sometimes be challenging to find due to layers of abstraction or complex data flows. This combination of widespread database use…Read More