One of the ways we try to keep track of vulnerabilities being exploited in WordPress plugins to provide our customers the best data on vulnerabilities that might impact their website is to monitor third party data on possible attacks. Through one of those we saw a report of the following request being made recently related to the plugin JS Support Ticket:

/wp-admin/admin-ajax.php?action=jsticket_ajax&jstmod=fieldordering&task=getOptionsForFieldEdit&field=1

Looking at the code that causes to the run in the plugin we immediately noticed there is a SQL injection vulnerability as the “field” input is passed in to a SQL statement without being sanitized or the statement being parameterized:

368
369
370
371
372
373
374
375

function getOptionsForFieldEdit() {
	$field = JSSTrequest::getVar('field');
	$yesno = array(
		(object) array('id' => 1, 'text' => __('JYes', 'js-support-ticket')),
		(object) array('id' => 0, 'text' => __('JNo', 'js-support-ticket')));
 
	$query = "SELECT * FROM " . jssupportticket::$_db->prefix . "js_ticket_fieldsordering WHERE id=$field";
	$data = jssupportticket::$_db->get_row($query);

SQL injection vulnerabilities are not commonly exploited, so one possible explanation for this is that the request is just checking if the plugins is active before the hacker exploit something else and it just happens that the code being called also contains a SQL injection vulnerability.

So far in looking over the plugin we haven’t found any obvious more serious vulnerability, but we haven’t exhaustively looked over the plugin by any means. If you see something, please let us know.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Proof of Concept

The following proof of concept will take varying amounts of time for the page to load depending on how long you specify MySQL sleep function to run.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[sleep time]” with how many seconds you want sleep to occur for.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=jsticket_ajax&jstmod=fieldordering&task=getOptionsForFieldEdit&field=1 AND SLEEP([sleep time])

Concerned About The Security of the Plugins You Use?