This repository demonstrates a vulnerability in WordPress 5.8.2, in which missing sanitization in class-wp-tax-query.php can, in very specific situations, allow attackers to perform SQL injection. Note that successful exploitation requires developers to add vulnerable code to the WordPress instance, in which unsanitized user input is passed to a $terms variable that is used to construct a SQL function. See evil.php in the included "evil" plugin, and the lack of sanitization of the $terms variable in get_sql_for_clause in class-wp-tax-query.php. The vulnerable/malicious plugin is located at src/wp-content/plugins/evil/evil.php. Demonstration steps sudo docker-compose up follow the installation instructions at localhost active the wordpress plugin in the admin panel (it's titled evil plugin) Send the request in newexploit_req.txt to the newly created server. You should get a time delay. Note that the vulnerability demonstrated by the plugin is a blind sql injection, so if you want to try data retrieval you'll need to retreive data either via time delays or errors. Debugging notes sudo service docker restart if name resolution failure occurs adjust xdebug.client_host=172.19.0.1 in xdebug.ini as needed