CVE-2023-4691: Critical Security Vulnerability in the WordPress Online Booking and Scheduling Plugin, Allows SQL Injection By High Privilege 'Admin' Users

CVE-2023-4691 reveals a critical security vulnerability in the popular WordPress Online Booking and Scheduling Plugin. This vulnerability particularly affects plugin versions preceding 22.4 and exposes websites to an exploit known as SQL Injection. Alarmingly, this vulnerability can be exploited by high-privilege users, such as those with 'Admin' access, amplifying the potential risk. This post aims to provide a detailed analysis of the issue, including a code snippet, links to original references, and information about the exploit itself.

Description

The particular vulnerability in the WordPress Online Booking and Scheduling Plugin stems from a lack of proper parameter sanitization and escaping before using the parameter in a SQL statement. This oversight allows an attacker with high privilege user access, such as an 'Admin,' to craft a malicious SQL query, inject it into the database, and potentially execute unauthorized actions or retrieve sensitive information.

The vulnerable code snippet can be found in the _get_bookings_summary() function within the plugin. This function is responsible for generating a summary of bookings:

function _get_bookings_summary($order_by, $sort) {
    global $wpdb;
    $table_name = $wpdb->prefix . "booking";
    
    // The following line is vulnerable due to a lack of proper sanitization and escaping
    $summaries = $wpdb->get_results("SELECT * FROM $table_name ORDER BY $order_by $sort");
    
    return $summaries;
}

As seen from the code snippet, the $order_by and $sort parameters are directly appended to the SQL query without proper sanitization or escaping, creating a situation where an attacker can inject arbitrary SQL code.

Original References

CVE Record: https://nvd.nist.gov/vuln/detail/CVE-2023-4691
WordPress Plugin Repository: https://wordpress.org/plugins/wp-simple-booking-calendar/

Exploit Details

To successfully exploit this vulnerability, an attacker with high privilege user access can manipulate the $order_by and $sort parameters to inject malicious SQL code. This could potentially allow the attacker to retrieve sensitive information, modify data, or execute unauthorized actions on the affected website.

For example, an attacker could use the following SQL injection payload

$order_by = "1); DROP TABLE users; --";
$sort = "";

This payload, when injected into the vulnerable SQL statement, results in

SELECT * FROM tablename ORDER BY 1); DROP TABLE users; -- ;

As a result, the 'users' table would be dropped from the database, causing potential data loss or website malfunction.

Mitigation

It is highly recommended that users immediately update their WordPress Online Booking and Scheduling Plugin to version 22.4 or later to resolve this vulnerability. Users should also ensure their website's admin credentials are only provided to trusted individuals and consider implementing two-factor authentication (2FA) for added security.

In addition to updating the plugin, proper data sanitization and parameter escaping should be implemented by either using the WordPress $wpdb->prepare() function or parameterized MySQLi queries.

Here's an example of how the vulnerable code can be rewritten using the $wpdb->prepare() function

function _get_bookings_summary($order_by, $sort) {
    global $wpdb;
    $table_name = $wpdb->prefix . "booking";
    
    $allowed_order_by = array('id', 'name', 'date'); // Define allowed order by columns
    $allowed_sort = array('ASC', 'DESC'); // Define allowed sort directions
    
    // Validate and sanitize input
    if (!in_array($order_by, $allowed_order_by)) {
        $order_by = 'id'; // Default value
    }
    
    if (!in_array($sort, $allowed_sort)) {
        $sort = 'ASC'; // Default value
    }
    
    $summaries = $wpdb->get_results($wpdb->prepare("SELECT * FROM $table_name ORDER BY %s %s", $order_by, $sort));
    
    return $summaries;
}

Conclusion

CVE-2023-4691 highlights the critical SQL injection vulnerability present in versions of the WordPress Online Booking and Scheduling Plugin prior to 22.4. This vulnerability can be exploited by high-privilege users, such as 'Admin,' to execute malicious actions or obtain sensitive information from affected websites. It is essential to update to a secure plugin version and properly sanitize user inputs to mitigate this security risk.

Timeline

Published on: 10/16/2023 20:15:16 UTC
Last modified on: 11/07/2023 04:22:50 UTC