Unauthenticated SQL injection bugs put thousands of WordPress sites under threat
A researcher at security firm Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of thousands of installations.
Dave Miller, who leads Cyllective’s penetration testing team, says they started out testing randomly selected plugins, quickly finding an unauthenticated SQL injection vulnerability.
They also found a series of local file inclusion and remote code execution (RCE) vulnerabilities. However, as these issues were found in severely outdated plugins, the team decided to concentrate its efforts on those that have received updates in the last two years – around 5,000 plugins in total.
Looking particularly for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to identify plugins showing interaction with the WordPress database; string interpolation in SQL-like strings; security measures relating to sanitization attempts; and exposure of unauthenticated endpoints.
And after three months’ research, says Miller, the result was a total of 35 vulnerabilities, all of which could have been exploited by unauthenticated attackers, affecting around 60,500 instances running the affected WordPress plugins.
“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Miller tells The Daily Swig.
“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”
This, he says, would essentially allow an unauthenticated attacker to create a new administrator account and take over the WordPress instance. And, from there, the attacker would be able to upload malicious PHP files, which would grant the attacker remote code execution capabilities on the underlying server as a low-privileged user.
Looking for patterns
With a bit more engineering, says Miller, the team's tag strategy could be used to fine flaws other than SQL injection vulnerabilities.
“New patterns would need to be developed which capture the specifics of the vulnerability class to be able to detect them,” he says. “Some vulnerability classes are, however, hard or even impossible to detect with this approach.”
Miller says that, despite the large number of vulnerabilities discovered, the disclosure process went smoothly, with the team reporting each vulnerability as it was discovered – on occasion, as many as four or five per day.
“WPScan [a WordPress security vendor] coordinated the process of communication between all the parties involved - researcher, plugin author and the WordPress plugin team – in a timely manner,” he says.
And, he adds, the team is still working through more plugins, with more vulnerabilities being discovered and responsibly disclosed.
“Security is ultimately the responsibility of the plugin developer, and the Plugin team encourages this to the best of its ability,” a WordPress spokesperson tells The Daily Swig.
“To this end, guidelines exist for plugin authors to consult before submitting plugins to the directory. All developers are expected to abide by these guidelines. In addition, they have at their disposal a Plugin Handbook that covers security best practices.”