CVE-2017-20246 in KittyCatfish
Summary
by MITRE • 06/09/2026
KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php to extract sensitive database information using boolean-based blind or time-based blind techniques.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/09/2026
The KittyCatfish 2.2 WordPress plugin contains a critical sql injection vulnerability that exposes sensitive database information to unauthenticated attackers. This vulnerability stems from improper input validation and sanitization within the plugin's codebase, specifically affecting the kc_ad parameter in both base.css.php and kittycatfish.php files. The flaw represents a classic case of insufficient parameter escaping that allows malicious actors to inject arbitrary sql commands into the application's database queries. Security researchers have identified this issue as a significant risk to wordpress installations using this particular plugin version.
The technical exploitation of this vulnerability occurs through the manipulation of the kc_ad get parameter which is directly incorporated into sql queries without proper sanitization or parameterization. Attackers can leverage boolean-based blind sql injection techniques to infer database contents by observing application responses to crafted boolean conditions, or employ time-based blind methods that cause deliberate delays in database processing to extract information through timing variations. The vulnerability affects the plugin's css generation functionality where the kc_ad parameter is processed in base.css.php, as well as in the main plugin file kittycatfish.php, making the attack surface broader than initially apparent. This type of vulnerability falls under the common weakness enumeration category of cwe-89 sql injection, which is classified as a high-risk vulnerability in the owasp top ten.
The operational impact of this vulnerability extends beyond simple data theft, as attackers can potentially extract complete database schemas, user credentials, and other sensitive information from wordpress installations. The unauthenticated nature of the exploit means that any user with access to the vulnerable website can leverage this weakness without requiring prior login credentials or elevated privileges. This makes the vulnerability particularly dangerous in environments where wordpress plugins are not regularly updated or monitored for security patches. The attack vectors are particularly concerning because they exploit the plugin's legitimate css generation functionality, making the malicious behavior appear as normal application processing to security monitoring systems.
Mitigation strategies for this vulnerability require immediate action from system administrators, including immediate plugin updates to version 2.3 or later where the sql injection flaw has been addressed through proper parameter sanitization and input validation. Organizations should implement web application firewalls to detect and block sql injection attempts targeting the affected parameters, while also conducting comprehensive security audits of all installed wordpress plugins to identify similar vulnerabilities. Regular security monitoring and vulnerability scanning should be implemented to detect similar issues in other components of the wordpress ecosystem. The vulnerability also highlights the importance of following secure coding practices such as parameterized queries and input validation as recommended in the software security guidelines of the iso/iec 27001 standard, which directly addresses the need for protecting against sql injection attacks through proper code implementation.