Widely-Used WordPress Plugins at Risk of Exploitation

A critical security alert has been issued for users of multiple WordPress plugins after three new vulnerabilities were discovered on December 19th. These have been found to be caused by a failure to properly verify request parameters, allowing for classic SQL injection attacks. 

Identifying the risks

One of the discovered vulnerabilities in a plugin specifically relates to the lack of proper input validation in the 'code' parameter in the /pmpro/v1/order REST route. This led to an unauthenticated SQL injection vulnerability, as the parameter was not properly escaped before being used in a SQL statement.

Another vulnerability was found in a plugin that relates to the lack of proper input validation in the 's' parameter in the 'edd_download_search' action. This specifically originates from the 'edd_ajax_download_search()' function located in the './includes/ajax-functions.php' file.

And last but not least, one more vulnerability was discovered in a plugin, which relates to the lack of proper input validation in the ‘surveys_ids’ parameter in the 'ays_surveys_export_json' action. This means that an attacker needs to be authenticated but does not require administrator privileges. An example of this can be seen when it is used by an account with a 'subscriber' privilege level.

Consequences

As a result, values are inserted into SQL queries without modification or with minimal modification, making them vulnerable to classic SQL injection attacks. These types of attacks can give an attacker the ability to access sensitive information, delete or modify data, or even take control of the entire website.

It is important to note that these vulnerabilities were found in widely-used plugins, and it is likely that a significant number of websites are at risk. All users of these plugins are strongly advised to update their software immediately in order to protect their websites from potential exploitation.

The WordPress community has a responsibility to keep the platform and its users safe, and the team behind these plugins is working quickly to address the vulnerabilities and release updates. 

Addressing the issue

At the time of this release, the three vulnerabilities have been assigned CVE identifiers, but they are still pending approval. This means that they are currently being evaluated by the relevant authorities to determine their severity and potential impact. However, it is important to note that even with these pending approvals, the vulnerabilities have been found to exist and affect multiple WordPress plugins. As soon as the CVEs are approved, the identification numbers will be published and can be used for reference.

BitNinja has taken immediate action to protect our users by issuing three WAF rules:
CVE-2023-23488 -> 406016,
CVE-2023-23489 -> 406017,
CVE-2023-23490 -> 406018.

These rules are specifically designed to protect against the identified vulnerabilities. By adding these rules to our security configuration, users of affected WordPress plugins can have an added layer of protection against potential exploitation.

Summary

A significant security warning has been released for three WordPress plugins after new vulnerabilities were found on December 19th. These have been found to be caused by a failure to properly check request parameters, allowing for classic SQL injection attacks. These types of attacks can give an attacker the ability to access sensitive information, delete or modify data, or even take control of the entire website.
We have taken immediate action to protect its users by issuing three WAF rules, but all users of these plugins are strongly advised to update their software immediately in order to protect their websites from potential exploitation.

trial
If you have no more queries, 
take the next step and sign up!
Don’t worry, the installation process is quick and straightforward!
AICPA SOC BitNinja Server Security
Privacy Shield BitNinja Server Security
GDPR BitNinja Server Security
CCPA BitNinja Server Security
2024 BitNinja. All Rights reserved.
Hexa BitNinja Server SecurityHexa BitNinja Server Security
magnifiercross