11 Sep

If a Hacker Has Modified Your WordPress Website’s Database That Doesn’t Mean a SQL Injection Vulnerability Was Exploited

Among the many areas where there seems to be confusion over security when it comes to WordPress websites, and websites more broadly, is a type of vulnerability known as SQL injection. SQL is short for Structured Query Language, a language used for communicating with some databases. SQL injection involves injecting malicious code into SQL statements, causing code specified by the attacker to run against the database. What can be done through that depends on the specifics of the vulnerability, but in most instances with WordPress plugins all that can be done with that is to slowly read out the contents of the database. What often gets referred to as SQL injection, involves any changes being made to the database, which in recent history with WordPress plugins being exploited, almost never involves SQL injection.

One of the ways we keep up with vulnerabilities in WordPress plugins, so that we can warn customers of our service about any of them that impact them is by monitoring topics on the WordPress Support Forum related to them. These days though what we are usually finding though is that vulnerabilities we already warned our customers about are now being exploited. That was the case with an arbitrary file viewing vulnerability in the plugin Advanced Access Manager that we warned our customers about on the 5th when it was fixed. We rated the vulnerability as having a high likelihood of exploitation. Early on the 7th a topic was started on the forum that appears to be due to that vulnerability being exploited. [Read more]

25 Jun

Vulnerability Details: SQL Injection in Author Chat

This post provides the details of a vulnerability in a WordPress plugin not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts with the details of vulnerabilities in plugins you use, including that you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

30 Apr

Vulnerability Details: SQL Injection in RSVPMaker

This post provides the details of a vulnerability in the WordPress plugin RSVPMaker not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

27 Mar

Would A Hacker Be Interested in This SQL Injection Vulnerability in Simple Ajax Shoutbox?

One of the ways we keep ahead of others when it comes to vulnerabilities in WordPress plugins, so that we can provide our customers with better security is that we monitor third-party data for indications that hackers are targeting WordPress plugins. Through that we just ran across someone possibly probing for usage of the plugin Simple Ajax Shoutbox by requesting the readme.txt file for it. That isn’t a very popular plugin, with only 1,000+ active installations according to wordpress.org, and hasn’t been updated in two years.

In a quick look over the plugin we didn’t see an obvious vulnerability that hackers would be interested in exploiting, though there were some things that look like they might cause a serious issue. But what did stand our right away is that that there is an easy to spot SQL injection vulnerability. That isn’t really isn’t something hackers seem all that interested in, but we can at least warn our customers and others that hackers might be targeting this plugin. [Read more]

18 Mar

Vulnerability Details: SQL Injection in Better Search

This post provides the details of a vulnerability in the WordPress plugin Better Search not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

21 Feb

Is a Hacker Interested in This SQL Injection Vulnerability in JS Support Ticket or Something Else?

One of the ways we try to keep track of vulnerabilities being exploited in WordPress plugins to provide our customers the best data on vulnerabilities that might impact their website is to monitor third party data on possible attacks. Through one of those we saw a report of the following request being made recently related to the plugin JS Support Ticket:

/wp-admin/admin-ajax.php?action=jsticket_ajax&jstmod=fieldordering&task=getOptionsForFieldEdit&field=1 [Read more]

04 Feb

The WordPress REST API Opening Up New Front for Security Vulnerabilities in WordPress Plugins

When it comes to the causes of security vulnerabilities in WordPress plugins we haven’t seen something truly new for some time, so that makes something we recently started seeing a pickup of, notable. That being vulnerabilities that are exploitable through WordPress’ REST API. The vulnerabilities are not caused by the REST API, but increasing usage of it in plugins is making more code accessible through it that isn’t properly secured. The API was introduced in WordPress 4.4, which was released back in December, 2015, so this comes with a bit of delay (maybe because developers were waiting till there was wide adoption of WordPress versions that supported it).

Right now we are continuing to evaluate how to respond to this in terms of things like our Plugin Security Checker and in the security reviews we do of plugins. For the latter, we are going to starting doing some checking over this type of code during upcoming reviews to get a better idea of what is going on, before considering official adding any checks related to it our reviews. [Read more]

20 Dec

PHP Objection Injection Through a SQL Injection Vulnerability in a WordPress Plugin

Recently there have been claims that hackers have been causing PHP object injection through SQL injection vulnerabilities in WordPress plugins. The details needed to allow others to confirm whether or not that is true had not been provided (which didn’t stop journalist from repeating the claims) and in our testing we were not able to figure out a way to get that to work with the plugins that it has been claimed it had occurred with. It is possible that we have missed something or it is possible that there was a belief that it could occur leading to hackers attempting it, but it really wasn’t possible in those plugins.

One route we looked to recreate the claim was using UNION SELECT as part of the SQL injection to cause a value needed for the PHP object injection to be returned from the SQL statement susceptible to SQL injection. What we have run into in trying that is that we couldn’t get an appropriate value needed for PHP object injection through that, due to the escaping WordPress does of quote marks. [Read more]

15 Dec

Is This SQL Injection Vulnerability Why a Hacker Would Be Interested in the SendinBlue Subscribe Form And WP SMTP Plugin?

Several days ago we had a request at this website for a file that would be located at /wp-content/plugins/table-maker/readme.txt. Subsequent to that, while reviewing the log files of another website for some work we were doing over at our main business we saw the same file requested. The requested file would be part of the plugin SendinBlue Subscribe Form And WP SMTP. On both websites the IP address also requested a readme.txt for another plugin, which we will be discussing at a later time. Those requests would be seem to be from someone probing for usage of those plugins. A likely reason for that would be a hacker probing for usage of the plugins.

In looking over the plugins we have yet to find some obvious security vulnerability that would be something that would be targeted by a hacker, but we did find that both had poor security leading to security vulnerabilities. Another thing we found with both is that they were using unserialization on data coming from a request from the database. Recently there have been claims that a SQL injection vulnerabilities was somehow being exploited and that lead to PHP object injection when the result from the SQL query susceptible to SQL injection was passed through the unserialize() function. No evidence was presented that was the case though. It is possible that the claim is true. It also possible that there is belief there is an issue that doesn’t really exist (we have seen plenty of instances hackers trying to exploit vulnerabilities that don’t exist and we have security companies failing to understand that). Whatever the case, we did find this plugin has a couple of SQL injection vulnerabilities for which the results is then unserialized. [Read more]

27 Oct

Vulnerability Details: SQL Injection Vulnerability in Ultimate Form Builder Lite

This post provides the details of a vulnerability in the WordPress plugin Ultimate Form Builder Lite not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]