CVE-2023-5429: Information Reel Plugin for WordPress SQL Injection Vulnerability in Versions <= 10.
Attention WordPress users! A new vulnerability has been discovered in the Information Reel plugin, and it's considered a significant security risk. If you're using the plugin, you'll want to read on to learn about the issue, how it can affect your site, and what you can do to protect yourself.
Description
The Information Reel plugin for WordPress – widely used for displaying news and other updates as scrolling text on websites – is prone to a SQL Injection attack. The vulnerability has been identified in versions up to, and including, version 10.. The problem lies in insufficient escaping on user-supplied parameters and lack of adequate preparation in the existing SQL query.
This makes it possible for authenticated attackers (those with subscriber-level and above permissions) to append additional SQL queries into existing queries. As a result, they can extract sensitive information from the database. This is a serious security risk and can lead to leaking of confidential data or unauthorized access to the website's backend.
Exploit details
The vulnerability is present in the plugin's shortcode, enabling an attacker to craft a malicious SQL query. Here is a code snippet that demonstrates the vulnerable part of the code:
$info_orderby = isset($_REQUEST['orderby']) ? $_REQUEST['orderby'] : 'date';
$sql_query = "SELECT * FROM $table WHERE status = '1' ORDER BY " . $info_orderby;
As shown above, the $info_orderby variable is taken directly from the user's input ($_REQUEST['orderby']) without any validation or escaping. This allows the attacker to insert malicious SQL commands that can compromise the system.
For example, an attacker could send a request with the following SQL code in the orderby parameter
1;SELECT * FROM wp_users;
This would turn the original query into
SELECT * FROM $table WHERE status = '1' ORDER BY 1;SELECT * FROM wp_users;
This would result in the attacker obtaining a list of all users, including their usernames, hashed passwords, email addresses, and other personal information.
Mitigation
Until the plugin's developer releases an update to fix this vulnerability, users can take the following steps to protect themselves:
Disable or uninstall the vulnerable Information Reel plugin.
2. Restrict access to the WordPress admin area by employing strong authentication methods and limiting the number of users with access.
3. Monitor the website for any suspicious activity and maintain regular backups to safeguard against data loss or corruption.
Original advisory on the vulnerability
- [Link to original references/source]
Conclusion
It's crucial for WordPress users to stay informed about any potential vulnerabilities in the plugins they use, as they can pose significant security risks to their websites. If you're using the Information Reel plugin, take the necessary precautions to protect your site from potential attackers exploiting this vulnerability.
Stay tuned for updates on this issue and other security concerns that may impact your WordPress site.
Timeline
Published on: 10/31/2023 09:15:00 UTC
Last modified on: 11/07/2023 04:23:00 UTC