24 May

False Vulnerability Report: SQL Injection Vulnerability in Featured Image Resize

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them. The data on these false reports is also included in our service’s data.

Earlier today a thread was started on the WordPress Support Forum claiming that plugin Featured Image Resize contained a SQL injection vulnerability. Between us being notified of the thread and when went to check over things, half the message was removed. It isn’t clear if was removed by the poster or silently removed by a forum moderator (they do some strange stuff along those lines), whichever it was it causes a problem, as what was removed makes it easy to see that the vulnerability doesn’t exist.

Currently the message just states:

This plugin appears to be vulnerable to SQL injection. Recommend it is not used until fixed.

Previously right after that it included this:

$thumbnail_id = $_REQUEST[‘thumbnail_id’];
$wpdb->get_row(“SELECT * FROM $wpdb->posts WHERE id = ‘” . $thumbnail_id . “‘”, ‘ARRAY_A’);

Just seeing those two lines makes it look like there is a SQL injection vulnerability, but looking at the lines in context in the file /featured-image-resize.php shows that there isn’t. That is due to the fact that right after setting the value of the GET or POST input “thumbnail_id” to $thumbnail_id, there is check to make sure it is numeric:

13
14
$thumbnail_id = $_REQUEST['thumbnail_id'];
if( !is_numeric($thumbnail_id) ) return false;

If you were try to do a SQL injection using that input then the code should exit at this point, so the value never gets used in SQL statement and therefore there isn’t a SQL injection vulnerability.

The code could be improved by using a prepared statement to better insure that SQL injection couldn’t occur.

Leave a Reply

Your email address will not be published. Required fields are marked *