Bugs deemed ‘very easy to exploit as they require no prerequisites’
Hide My WP, a popular WordPress security plugin, contained a serious SQL injection (SQLi) vulnerability and a security flaw that enabled unauthenticated attackers to deactivate the software.
Now patched, the bugs were discovered during an audit of several plugins on a customer’s website by Dave Jong, CTO of Patchstack, which protects WordPress websites from vulnerabilities and runs a WordPress-focused bug hunting platform.
The SQLi “is pretty severe”, Jong told The Daily Swig. “It allows anyone to extract information from the database, it has no prerequisites. A tool such as SQLmap could easily exploit this vulnerability.”
YOU MAY ALSO LIKE GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles
The other vulnerability is less severe, “but could, under the right conditions, cause a malicious user to continue exploitation of a different vulnerability”, added Jong.
Both flaws are “very easy to exploit as they require no prerequisites”, he warned.
SQLi in SQLi defense software
Claiming more than 26,000 customers, Hide My WP hides WordPress installations from malicious hackers, spammers, and theme detectors by various means.
The plugin, which includes a feature that blocks SQLi and XSS attacks, itself contained an SQLi bug because of how the IP address was retrieved and used within SQL queries.
“The function hmwp_get_user_ip tries to retrieve the IP address from multiple headers, including IP address headers which can be spoofed by the user such as X-Forwarded-For,” reads a blog post published by Jong yesterday (November 24).
“By supplying a malicious payload in one of these IP address headers, it will be directly inserted into the SQL query which makes SQL injection possible.”
Meanwhile, a reset token – hmwp_reset_token – “will be directly printed onto the screen which can then be used to deactivate the plugin in the file /wp-content/plugins/hide_my_wp/d.php (located in the root folder of the plugin),” explained Jong, adding the caveat that there must be a valid token with a non-empty value.
Read more of the latest WordPress security news
“Simply by visiting a URL such as /wp-admin/admin-ajax.php?die_message=new_admin&action=heartbeat we can make it display the reset token on the screen,” he added.
Jong said he discovered the vulnerability, notified the plugin’s developer, wpWave, and released a ‘virtual patch’ to premium Patchstack users on September 29.
On October 5, after wpWave failed to respond, he alerted Envato, which responded within minutes and promptly removed the plugin, temporarily, from its codecanyon.net marketplace.
Jong praised wpWave for rapidly addressing both flaws in Hide My WP version 6.2.4, released on October 26.
“I would like to stress that such security improvements should be covered as positive news for the [open source] ecosystem,” he said. “The fact that you haven’t heard about a vulnerability being fixed in some other plugins doesn’t mean the vulnerabilities aren’t there – but might mean they are just not addressed.”
Patchstack’s CTO invited other researchers and developers to report any bugs found in WordPress plugins to Patchstack’s WordPress plugin-specific bounty program.
RECOMMENDED Interview: Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time