WordPress is a big deal around here at 4GoodHosting, and like other Canadian web hosting providers we’ve recently recently debut our Managed Canadian WordPress hosting here. It’s optimized for WordPress sites, and the reason it’s been worth the time and efforts to put it together is that WordPress powers more sites than any other source around the world. It’s certainly come a long way from its humble beginnings as a means of putting your blog on the web.
But its popularity is also based on the thousands of plugins that users have to choose from to customize their pages. That popularity is the reason that these plugins and have become the target for SQL injection attacks recently, and with many of our web hosting in Canada customers having WP sites it makes sense for us to use this week’s blog entry to discuss this and make any one who the needs the info aware of the risk.
This is because a little less than 2 months ago (December 19, 2022) a critical security alert was issued for users with multiple WordPress Plugins. Apparently their inability to properly verify request parameters were increasing the risk for SQL injection attacks.
The assumption was that the threat factor was magnified even more by the fact that many people have so many plugins utilized within their website that they may not even be able to identify whether or not they’re at risk. These types of attacks can give an attacker the ability to access sensitive information, prompt the deletion or modification of data, or even take control of the entire website.
Input Validation Issue
The biggest of these discovered vulnerabilities in a plugin specifically relates to the lack of proper input validation in the ‘code’ parameter in the /pmpro/v1/order REST route. What results is an unauthenticated SQL injection vulnerability, able to occur because the parameter was not properly escaped before being used in a SQL statement.
The next serious vulnerability was found in a plugin that relates to the lack of proper input validation in the ‘s’ parameter in the ‘edd_download_search’ action. This specifically is being sent to stem from the ‘edd_ajax_download_search()‘ function located in the ‘./includes/ajax-functions.php’ file.
The third of these significant vulnerabilities was discovered in a plugin, which relates to the lack of proper input validation in the ‘surveys_ids’ parameter in the ‘ays_surveys_export_json’ action. Explaining how this works exactly, it means aan attacker needs to be authenticated but administrator privileges are not required. An example of this can be seen when it is used by an account with a ‘subscriber’ privilege level.
From there the values are inserted into SQL queries without modification or with minimal modification, making them vulnerable to classic SQL injection attacks. As mentioned, the attacker may then ability to access sensitive information, delete or modify data, or even take control of the entire website.
These vulnerabilities were found in widely-used plugins, and a significant number of websites being at risk is likely. Any user who is using these plugins is strongly advised to update their software immediately as a means of protecting their websites from potential exploitation. WordPress IS aware of the issue and the team behind these plugins is working quickly to address the vulnerabilities and release updates.
Addressing the Issue
At the time of this release, the three vulnerabilities have been assigned CVE identifiers, but they are still pending approval. This means that they are currently being evaluated by the relevant authorities to determine their severity and potential impact. 3WAF rules have been issued for user reference in response to these security vulnerabilities:
CVE-2023-23488 -> 406016
CVE-2023-23489 -> 406017
CVE-2023-23490 -> 406018
There will be a need to continuously monitor the results and any false positive rates.