Toolset Types [SQL Injection]

Plugin Toolset Types [SQL Injection] is vulnerarable to unauthenticated SQL injection attacks.


Plugin registers the AJAX action wpt_suggest_taxonomy_term which provides a convenient way to search for WordPress terms. This action calls \WPToolset_Forms_Bootstrap::wpt_suggest_taxonomy_term() method which performs the requested search. This action is a non privileged one so an attacker can perform this attack without authenticating himself.

Plugin supports WPML integration and if the WPML plugin is installed and active it provides the functionality to search for translated terms by using the taxonomy parameter in either request body or as a query param.

Because WordPress uses the addslashes() function to all request params, in order for this attack to be successful a multibyte character encoding must be set in DB, but this attack is still possible as [Chris Shiflett showed in this blog post] (

Vulnerable code:

File toolset-forms/bootstrap.php, line 172:

$tax_where .= " AND t.term_id in (SELECT element_id from {$wpdb->prefix}icl_translations WHERE element_type = 'tax_{$_REQUEST['taxonomy']}' AND language_code = '{$lang}'  ) ";


curl ''
    -d 'action=wpt_suggest_taxonomy_term&q=1&taxonomy=%e5%27 AND (SLEEP(5)); --'