CVE-2023-5433: SQL Injection Vulnerability in Message Ticker Plugin for WordPress Caused by Insufficient Escaping and Lack of Query Preparation

In today's post, we will be discussing an SQL Injection vulnerability in the widely-used Message Ticker plugin for WordPress (versions up to and including 9.2). This has been assigned the identification number CVE-2023-5433, with the vulnerability linked to insufficient escaping and lack of query preparation on the user-supplied parameter within the plugin's shortcode. Consequently, this opens the doors for authenticated attackers to exploit subscribers with permission levels and access sensitive data stored within the website's database.

Before we dive into the code snippet and exploit details, here are the original references to the vulnerability:
1. WordPress Message Ticker Plugin SQL Injection Vulnerability Advisory
2. CVE-2023-5433

Code Snippet and Vulnerability Analysis

The vulnerability is present in the 'message-ticker.php' file, specifically on the lines handling the number_offset parameter within the msg_ticker_shortcode function. Here's the relevant code snippet:

function msg_ticker_shortcode($atts) {
  global $wpdb;
  // ...
  extract(shortcode_atts(array('category' => '', 'number' => 5, 'number_offset' => , 'speed' => 3, 'pause' => , 'order' => 2), $atts));
  // ...
  if (strlen($category) > )
    $sql .= " WHERE " . _MSG_CATEGORY_COLUMN_ . " = '" . $category . "'";
    
  if ($order == 1) 
    $sql .= " ORDER BY " . _MSG_UPDATE_COLUMN_;
  elseif ($order == )
    $sql .= " ORDER BY rand()";
  else
    $sql .= " ORDER BY " . _MSG_ID_COLUMN_;
    
  $sql .= " LIMIT " . $number_offset . "," . $number;
  $items = $wpdb->get_results($sql);
  // ...
}

As observed in this snippet, the shortcode_atts array consists of parameters. Among these is the number_offset parameter, which is appended directly to the SQL query as-is without any form of escaping or sanitization. This lack of sufficient escaping on the user-supplied input and inadequate query preparation within the existing SQL query allows an attacker to execute additional SQL statements, resulting in the SQL Injection vulnerability.

Exploit Details

To exploit this vulnerability, an attacker must have an authenticated account on the targeted WordPress website, with a minimum of subscriber-level permissions. While subscriber-level access rights may seem relatively low, it should not be discounted that such roles can enable a malicious party to gather and exploit sensitive information from the website.

To illustrate an example, an attacker could craft an SQL Injection POST request to the website as follows:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Cookie: <auth_cookie>

action=process_shortcode&message_ticker_nonce=<valid_nonce>&shortcode=[msg-ticker number="5" number_offset=" UNION SELECT 1,2,3,4,5,6,7,8,9,10,11 FROM wp_users%23"]

The shades of risk associated with this exploit include possible data breaches for the targeted website as well as potential unauthorized access to sensitive information about users, stored in the website's database.

Conclusion

In conclusion, the Message Ticker plugin for WordPress (up to version 9.2) suffers from an SQL Injection vulnerability, attributed to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This poses the risk for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into existing queries, paving the way for unauthorized data extraction from the targeted website's database. It is recommended for all affected users to update their Message Ticker plugin installation immediately.

Timeline

Published on: 10/31/2023 09:15:08 UTC
Last modified on: 11/07/2023 04:24:00 UTC