CVE CyberSecurity Database News

CVE-2022-3848 - Vulnerability Disclosed: SQL Injection Exploitable in WP User Merger WordPress Plugin (Before Version 1.5.3) by Users with Admin Privileges

Poster -

The WP User Merger WordPress plugin is an effective tool for combining two or more user accounts seamlessly, managing the process of merging user posts, links, and credits that are associated with these accounts. However, it has recently been discovered that version 1.5.2 and earlier of the WP User Merger plugin contains a significant security vulnerability: a SQL injection exploitable by users with a role as low as admin. The vulnerability, tracked through the identifier CVE-2022-3848, involves the improper sanitization and escape of a parameter before it is used in a SQL statement.

In this long read post, we will detail the nature of the vulnerability, share a code snippet demonstrating the issue, and provide information on the original references for anyone looking for more technical depth. We will also discuss the exploit details, and the necessary steps for remediation.

Vulnerability Details

The identified SQL injection vulnerability in the WP User Merger plugin (prior to version 1.5.3) stems from a critical failure to properly sanitize and escape a parameter before it is utilized in a SQL statement. This oversight allows users with administrative privileges to exploit the vulnerability and craft complex queries to extract sensitive information from the WordPress website's underlying database.

Here is the affected code snippet from the vulnerable version of the WP User Merger plugin

function wpum_delete_users($user_ids) {
  global $wpdb;
  foreach ($user_ids as $id) {
    $wpdb->query("DELETE FROM $wpdb->users WHERE ID = " . (int) $id);
    $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id = " . (int) $id);
  }
}

Due to the absence of proper sanitization and validation of the $user_ids parameter, an attacker can craft a custom $user_ids array, potentially resulting in unintended SQL statement execution and compromise of sensitive data.

Original References

The vulnerability's CVE identifier, CVE-2022-3848, can be found in the National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-3848

Moreover, the WPScan Vulnerability Database also has an entry for this specific vulnerability: https://wpscan.com/vulnerability/1337d491-781e-47a4-9dc4-013e68e8ec41

Exploit Details

The exploitation of this vulnerability requires administrative access. However, it is critical to address the issue as there are numerous ways for attackers to gain unauthorized admin access or to compromise a legitimate admin account.

A successful exploitation can allow an attacker to extract sensitive information from the database, including user emails, hashed passwords, private messages, and other potentially valuable data. Remediation steps are necessary to protect your WordPress installation from this threat.

Remediation Steps

To resolve this vulnerability, it is crucial for WordPress administrators using the WP User Merger plugin to update to version 1.5.3 or later, which addresses the SQL injection issue by properly validating and sanitizing the $user_ids parameter.

Additionally, WordPress administrators should enforce strong password policies for user accounts, implement two-factor authentication (2FA), and continuously monitor for any suspicious activity that may indicate a successful exploit attempt.

Conclusion

CVE-2022-3848 serves as a stark reminder of the importance of proper code auditing and vulnerability management. By staying informed and up-to-date with the latest security releases, WordPress administrators can ensure that their installations remain secure against potential attacks, even those that can be exploited with a level of admin access. Keep your WordPress installation safe and secure by always being proactive about updating plugins and following best security practices.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:48:00 UTC