SQL Injection (SQLi)
Introduction
This article covers cases of possible SQLi on WordPress. This includes improper usage of functions and user input handling inside of the plugin/theme which can be used to inject a malicious query into the SQL execution to leak sensitive data.
Useful Functions
Several functions could be useful to identify a possible SQLi vulnerability:
Example Cases
Below is an example of vulnerable code:
The vulnerable variable, in this case, is the $question_sql
variable where the value is passed from $_COOKIE[ 'question_ids_'.$quiz_id ]
value without proper sanitization or escaping. The sanitize_text_field
function is not enough to prevent SQL Injection since the $question_sql
variable is constructed inside an ORDER BY clause without proper escaping.
To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-admin/admin-ajax.php
endpoint specifying the needed action and parameter to trigger the SQL Injection (letβs say that the {$wpdb->prefix}custom_questions
table has 5 columns):
Below are some of the findings related to SQLi:
- Critical Vulnerabilities Patched in REHub Theme and Plugin
- Critical SQL Injection Found in Porto Themeβs Plugin
- Multiple High and Critical Vulnerabilities in Avada Theme and Plugin
- Critical Unauthenticated SQL Injection in Quiz And Survey Master <= 8.1.4
- Multiple Vulnerabilities Fixed In WP Statistics Plugin Version <= 13.2.10
- Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2