Sensitive database data at risk if webmasters fail to update systems
UPDATED WP Statistics, a popular web analytics plugin for WordPress, contained a time-based blind SQL injection vulnerability that, if exploited, could result in sensitive information being exfiltrated from a site’s database.
Webmasters of WordPress sites running the open source plugin, which number more than 600,000, have been urged to update their systems as soon as possible.
The nature of the high severity (CVSS score 7.5) pre-authenticated vulnerability (CVE-2021-24340) means “exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records”, said Ram Gall, threat analyst and QA engineer at WordPress security platform Wordfence, in a blog post published on Tuesday (May 18).
In a targeted attack, this vulnerability could be used to extract personally identifiable information from e-commerce sites containing customer information.
“This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored.”
Constructing the attack
Among other traffic data, WP Statistics provides detailed figures about which pages website users visit.
Accessing a ‘Pages’ menu generates an SQL query that displays these statistics, said Gall.
Although the function is supposed to be restricted to administrators, “it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page”, continued the threat analyst.
“Since the SQL query ran in the Page constructor,” any visitor could trigger the SQL query without logging in. “A malicious actor could then supply malicious values for the ID or type parameters.”
As with another time-based blind SQL injection bug Wordfence recently discovered in CleanTalk’s AntiSpam plugin, the use of an esc_sql function failed to repel the attack for want of a prepared statement, said Gall.
Elaborating on the issue, the threat analyst told The Daily Swig: “We’ve seen multiple instances in the past where escaping input was insufficient and led to a false sense of security, and expect to see more in the future. Escaping input can be sufficient in some cases, but it’s not really a safe assumption anymore.
He added: “Prepared statements have been considered a best practice for a long time now, and while some developers may have avoided them in the past because they can be tricky to implement manually, there’s not really an excuse for not using them in WordPress thanks to the ease of use that $wpdb->prepare() allows.”
However, Mostafa Soufi, co-founder of WP Statistics developer VeronaLabs, told The Daily Swig that the flaw was less serious than Wordfence researchers indicated, because “they didn't provide us an example to [prove] there [was] a security bug on the query,” and “those parameters [were] already sanitized with esc_sql() one by one before the patch”.
Wordfence has since responded to these assertions with the following statement: “A sample PoC was sent to VeronaLabs upon discovery of the vulnerability to demonstrate how an exploit of the coding flaw was possible.
“Additionally, another security researcher has published a proof of concept based on the minimally detailed article published on Wordfence.com. In other words, this has already been reproduced by other security researchers.”
The Wordfence threat intelligence team alerted VeronaLabs to the vulnerability on March 13, and a release containing a fix, version 13.0.8, was issued on March 25.
The vulnerability affects all previous versions.
This article was updated on May 25 with additional comments from Mostafa Soufi of VeronaLabs, and then with a response to those comments from Wordfence on May 26.