On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ active installations) was published by a researcher at Sun* Cyber Security Research. Not soon after this, we noticed an increase in SQL injection attacks against WordPress sites.
As you can see from the graph above, the attacks were spiking on May 16th at 10 PM and May 17th at 7 AM. At the time of the spike, the attack count raised as high as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th May the attacks started to lower ending with 2 attacks on the 17th at 12 AM.
Analysis of the attack in Photo Gallery by 10Web
After an analysis, it seems that a malicious user is attempting to find sites that have a vulnerable version of this plugin installed. We found the POST payload below being sent 19 000 times against WordPress sites over a period of roughly 36 hours.
[action] => bwg_frontend_data
[bwg_search_0] => 1# %DFGDFG\"))\/**\/UNION\/**\/ALL\/**\/SELECT\/**\/TABLE_SCHEMA,TABLE_NAME,'','','','','','','','','','','','',''\/**\/as\/**\/dummy_3\/**\/from\/**\/information_schema.tables#FGDFGDFG))#
[gallery_type] => album_compact_preview
[type_0] => album
This payload seems to perform a basic UNION SQL injection attack which will attempt to inject different data into the result set of the query which the malicious user can use to determine if a vulnerable version of the plugin is, in fact, running on the site.
All requests were sent with the same user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.
Multiple IP addresses were used in the attack, the top 10 are as follows:
- 220.127.116.11 – USA – DigitalOcean
- 18.104.22.168 – Russia – OOO Network of data-centers Selectel
- 22.214.171.124 – France – OVH SAS
- 126.96.36.199 – France – OVH SAS
- 188.8.131.52 – France – OVH SAS
- 184.108.40.206 – France – OVH SAS
- 220.127.116.11 – France – OVH SAS
- 18.104.22.168 – Hungary – Szervernet Ltd
- 22.214.171.124 – USA – Centrilogic
- 126.96.36.199 – Singapore – DigitalOcean
Analysis of Photo Gallery by 10Web
The payload above makes it clear that the issue resides in the
wp_ajax_nopriv_bwg_frontend_data AJAX actions which both call a function frontend_data which calls a chain of other functions which ultimately ends up in the file that is vulnerable to SQL injection: /frontend/models/model.php.
In this file, there is a function called
get_image_rows_datawhich uses the
bwg_search_* parameter. From the payload used by the malicious user, we can see that it is in fact where the issue resides. Data from the user-provided
bwg_search_* parameter was used directly in the SQL query which caused this SQL injection vulnerability to exist.
If we take a look at the differences between version 1.5.54 and 1.5.55 of the plugin here, you can see that the patched version contains the usage of the
$wpdb->prepare function which mitigates the vulnerability.
May 15th: Vulnerability was disclosed
May 15th: Vulnerability was patched in version 1.5.55
May 16th: Attacks detected against the vulnerability