One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin Party Hall Booking Manager, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. That type of vulnerability is not one we often see target by hackers, so it is possible there is an additional issue with the plugin.

In a number of places in the code, user input is included in SQL queries without sanitization being done or a parametrized query being used. Below in one of those that we confirmed is exploitable.

In the file /scbooking.php the function ccb_get_roomprice_by_custompost() is made accessible to those not logged in through WordPress’ AJAX functionality:

220

add_action( 'wp_ajax_nopriv_ccb_get_roomprice_by_custompost','ccb_get_roomprice_by_custompost' );

That function takes the GET or POST input “post_id” and inserts into a SQL query:

209
210
211
212
213
214
215
216
217
218
219

function ccb_get_roomprice_by_custompost(){
  if($_REQUEST){
    global $table_prefix,$wpdb;
    $post_id = $_REQUEST['post_id'];
 
    $sql_room_price = "select * from ".$table_prefix."postmeta where meta_key='_room_price' and post_id=".$post_id;
    $result = $wpdb->get_results($sql_room_price);
    echo json_encode($result);
  }
  exit;
}

Proof of Concept

You can see that SQL injection is occurring by comparing the time it take for the following requests, with one that adds a ten second delay to the the SQL query, with to be completed.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[post id]” with the ID of a room. That ID can be found by going to /custom_bookings/, going to a page of a room and the getting the ID from the source code. The ID is usually listed at the end of link for the “shortlink” in the head section.

No delay:

http://[path to WordPress]/wp-admin/admin-ajax.php?action=ccb_get_roomprice_by_custompost&post_id=[post id]

10 second delay:

http://[path to WordPress]/wp-admin/admin-ajax.php?action=ccb_get_roomprice_by_custompost&post_id=[post id]

Timeline

• 10/3/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?