Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



09:10 AM
Larry Loeb
Larry Loeb
Larry Loeb

WordPress Vulnerable to SQL Injection

Security firm Securi has found out that on WordPress versions earlier than 3.4 it will allow an SQL injection vulnerability to occur.

Duplicate Page is an open source pluginfor WordPress that does just what you think it will do. It duplicates pages. There are over 800,000 installations of the plugin. It will duplicate pages, posts and custom posts with one click also saving the selected options (draft, private, public, pending).

But security firm Securi has found out that on WordPress versions earlier than 3.4, it will also allow an SQL injection vulnerability to occur.

The bug is important because it is exploitable by any user with an account on the vulnerable site regardless of the privileges they may have (that means subscribers) and is easy to exploit. This bug can allow attackers to steal sensitive user information such as password hashes. It could also lead to a complete compromise of the vulnerable WordPress installation.

Depending on what other plugins are active on the site, this bug can be forced into a PHP Object Injection vulnerability.

Digging a little deeper here, it can been seen that the plugin relies on an admin_action_ hook which is executed at the very end of wp-admin/admin.php. This means that it may be executed when any kind of user is on their dashboard, or even when they are editing their personal information.

A plugin that uses this kind of syntax should routinely do additional privilege and nonce checks to verify that it is not executed by less privileged malicious users.

But that checking does not seem to be happening.

The variable $post_id of the post to be duplicated is assumed to be an integer. That means no matter what value is in $post_id, it will retrieve a valid post if the contents start with the post's ID. For example, "456 garbage" in the $post_id would grab a post whose ID is 456.

There's more. $post_id is directly appended to the $wpdb->get_results() query. Since $post_id can contain unsanitized user input (the "garbage" we added), this means there is an SQL Injection vulnerability.

The values returned by this vulnerable query are re-used in a foreach() loop and are re-appended in the subsequent INSERT SQL query. This means that an attacker can inject arbitrary values in the postmeta table. There you have the elements needed for a PHP Object Injection attack.

Pulling back from the low-levels mechanisms here, what can be done to mitigate?

First, get Duplicate Page 3.4 or better. This bug was first fixed in that release. Also, version 3.5 of the Duplicate Page plug is advised, since it has been tested and checked for the absence of the vulnerability.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...