Login

Tag Archives: Authenticated SQL Injection

11 Jan 2024

Authenticated SQL Injection Vulnerability in PDF Invoices & Packing Slips for WooCommerce

One of the changelog entries for the latest version of the WordPress plugin PDF Invoices & Packing Slips for WooCommerce is “Fix: potential SQL injection bug in Number Tools”. In looking into that, we found that this wasn’t a potential issue, but a vulnerability. Specifically, it is an authenticated SQL injection vulnerability exploitable by users with the Shop Manager role. It is also a cross-site request forgery (CSRF)/SQL injection vulnerability that could be exploited against Shop Managers and Administrators. We also found it hadn’t been fully fixed.

Looking at the changes made in the new version, we saw that in the file /includes/tables/class-wcpdf-number-store-list-table.php changes were being made related to user input being passed in to a SQL statement. That code is accessed when accessing this admin page from the plugin: /wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug&section=numbers . While the developer was already using a prepared SQL statement, they are, for some reason, passing user input directly in to it when they shouldn’t, which defeats the purpose of the protection offered by a prepared SQL statement. The new version still doesn’t resolve that, as that aspect of this wasn’t addressed. Instead, the developer passed the user input through sanitize_text_field(), which doesn’t stop SQL injection. That involves the variable $search: [Read more]

5 Apr 2023

Our Firewall Plugin Caught That SQL Injection Vulnerability Tenable Discovered Hasn’t Actually Been Fixed

Last month, security provider Tenable claimed that an authenticated SQL injection vulnerability had existed in the WordPress plugin ReviewX and was fixed in version 1.6.4. It turns out the vulnerability hasn’t been fixed.

The CVE system allowed Tenable to create a CVE ID for this, CVE-2023-26325, and didn’t check to make sure the claims were accurate [Read more]

16 Mar 2023

Our Firewall Plugin Caught That Jetpack’s “Internal Audit” of Slimstat Analytics Missed That Vulnerability Still Exists

Recently Automattic’s Jetpack claimed to have done an “internal audit” of the WordPress plugin Slimstat Analytics and found an authenticated SQL injection vulnerability that was subsequently fixed. We don’t know what an internal audit is supposed to be, but they failed to fully test or check over the vulnerable code and the authenticated SQL injection vulnerability still exists (which isn’t that surprising, considering the discoverer is a former employee of Sucuri). They also missed another security issue in the relevant code, which helped lead to the vulnerability still existing. Interestingly, an in development feature of our firewall plugin caught that the issue hadn’t been fully resolved.

Another Automattic unit, WPScan, also missed that this wasn’t fully resolved: [Read more]

13 Dec 2021

Vulnerability Details: Authenticated SQL Injection in Quotes Collection

It isn’t hard to tell that the WPScan Vulnerability Database isn’t verifying the claimed vulnerabilities it is adding to its data set, even though they claim to do just that. A recent entry in their database is described as an “Admin+ SQL Injection” in the plugin Quotes Collection, which would presumably mean a vulnerability that could only be exploited by an Administrator. But the additional details provide doesn’t even spell that out:

[Read more]

27 May 2021

Vulnerability Details: Authenticated SQL Injection in Yes/No Chart

The plugin Yes/No Chart was closed on the WordPress Plugin Directory on Monday. The next day a new version was submitted with the changelog entry “Fixed shortcode parameter security issue.” Looking at the changes we were able to determine that this was fixing an authenticated SQL injection vulnerability that was exploited through the plugin’s yesno_chart shortcode.

[Read more]

28 Feb 2020

Recently Closed WordPress Plugin with 60,000+ Installs Contains Multiple Vulnerabilities

The plugin Contact Form Submissions was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 60,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a CSV injection vulnerability and an authenticated SQL injection vulnerability, which can also exploited through cross-site request forgery (CSRF).

The CSV injection vulnerability involves a lack of escaping when using the plugin “Export to CSV” feature, as can be confirmed with the proof of concept below. [Read more]

29 Aug 2019

Vulnerability Details: Authenticated SQL Injection in NextGEN Gallery

We often find that other data sources will repeat claims made about security vulnerabilities without even be provided enough information to double check the information. Other outlets have run without any reservation a claim by Fortinet about a SQL injection vulnerability in NextGEN Gallery:

[Read more]

6 Aug 2019

Vulnerability Details: Authenticated SQL Injection in Popup Builder

Today Fortinet released a misleading “Zero-Day Advisory” about a vulnerability in the plugin Popup Builder. What is described is not a zero-day and the description is missing key information that would let everyone know that the issue is of limited concern (they have repeatedly failed to mention that type of information in recent reports of claimed vulnerabilities in WordPress plugins). Here is what they describe the issue as:

[Read more]