Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

A researcher at security firm Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of thousands of installations.

Dave Miller, who leads Cyllective’s penetration testing team, says they started out testing randomly selected plugins, quickly finding an unauthenticated SQL injection vulnerability.

They also found a series of local file inclusion and remote code execution (RCE) vulnerabilities. However, as these issues were found in severely outdated plugins, the team decided to concentrate its efforts on those that have received updates in the last two years – around 5,000 plugins in total.

Exposed endpoints

Looking particularly for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to identify plugins showing interaction with the WordPress database; string interpolation in SQL-like strings; security measures relating to sanitization attempts; and exposure of unauthenticated endpoints.

And after three months’ research, says Miller, the result was a total of 35 vulnerabilities, all of which could have been exploited by unauthenticated attackers, affecting around 60,500 instances running the affected WordPress plugins.


RELATED Unpatched plugins threaten millions of WordPress websites


“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Miller tells The Daily Swig.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

This, he says, would essentially allow an unauthenticated attacker to create a new administrator account and take over the WordPress instance. And, from there, the attacker would be able to upload malicious PHP files, which would grant the attacker remote code execution capabilities on the underlying server as a low-privileged user.

Looking for patterns

With a bit more engineering, says Miller, the team's tag strategy could be used to fine flaws other than SQL injection vulnerabilities.

“New patterns would need to be developed which capture the specifics of the vulnerability class to be able to detect them,” he says. “Some vulnerability classes are, however, hard or even impossible to detect with this approach.”


Read more of the latest WordPress security news


Miller says that, despite the large number of vulnerabilities discovered, the disclosure process went smoothly, with the team reporting each vulnerability as it was discovered – on occasion, as many as four or five per day.

“WPScan [a WordPress security vendor] coordinated the process of communication between all the parties involved - researcher, plugin author and the WordPress plugin team – in a timely manner,” he says.

And, he adds, the team is still working through more plugins, with more vulnerabilities being discovered and responsibly disclosed.

“Security is ultimately the responsibility of the plugin developer, and the Plugin team encourages this to the best of its ability,” a WordPress spokesperson tells The Daily Swig.

“To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines. In addition, they have at their disposal a Plugin Handbook that covers security best practices.”


DON’T MISS W3C launches Decentralized Identifiers as a web standard