Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.
As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”. Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there.
Once the proof of concept was disclosed yesterday, we were able to confirm that there is indeed an unfixed SQL injection vulnerability that exists as of the latest version of the plugin, 2.0.5. That vulnerability would allow an attacker to read out the contents of the WordPress database. The latest version of the plugin was released on Monday, so the developer is actively developing the plugin, but hasn’t fixed this vulnerability for whatever reason.
We have notified the developer of the disclosure of the vulnerability.
Better Handling Needed
WPScan is owned by Automattic, which is run by the head of WordPress, Matt Mullenweg, so its seems like there should have been better handling of things than has happened here. Either WPScan didn’t notify the WordPress team running the WordPress Plugin Directory, so that they could take action, or they were notified, but didn’t take action that addressed this. In either case, ultimately the problem is a responsibility of Matt Mullenweg.
Removing the plugin from the plugin directory unless it was fixed would limit others from installing the vulnerable version.
In situation where a vulnerability has a significant chance of exploitation, if the developer is not fixing it, then WordPress should provide a fix. (Something they have so far failed to do with another recent unfixed vulnerability probably being targeted by a hacker.) This vulnerability can be fixed enough to prevent exploitation by simply restricting user input passed to a SQL statement to an integer using intval(). That would only require changing one line of codde. It would be better addressed in part by using a prepared SQL statement.
Forcing out an update in this situation would be worth considering as well, though that would be more controversial.
Missing from Other Data Providers
So far those relying on plugin vulnerability data ultimately from either Patchstack or Wordfence are not being warned about the vulnerability.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade