A critical SQL Injection vulnerability has been found in the popular Up down image slideshow gallery plugin for WordPress. This vulnerability, identified as CVE-2023-5435, allows authenticated attackers with subscriber-level and above permissions to execute arbitrary SQL queries and potentially extract sensitive information from the database. The security issue is present in versions up to, and including, 12. of the plugin.

Technical Details

The vulnerability stems from the lack of proper input validation and escaping of user supplied data, in conjunction with insufficient preparation on the existing SQL query. This makes it possible for an attacker to inject additional SQL queries into existing queries, which can then be used to query the database for potentially sensitive information.

The vulnerable code can be found in the plugin's shortcode handling. Specifically, the file "wp-best-slideshow-gallery.php" contains the following code snippet:

function wp_best_gallery_shortcode( $atts ) {
    ...
    $gallery_id = $atts['id'];
    ...
    $sql = "
        SELECT * 
        FROM " . WP_BEST_GALLERY_TABLE .
       " WHERE gallery_id = " . $gallery_id .
       " AND gallery_status = 'ACTIVE' 
        ORDER BY gallery_order
    ";

In the code above, it can be noted that the user-supplied $gallery_id parameter is directly inserted into the SQL query without proper input validation and escaping. This allows an attacker to append malicious SQL code into the query, potentially leading to unauthorized information disclosure.

Proof of Concept Exploit

To demonstrate the vulnerability, a proof of concept exploit can be crafted using an authenticated account with subscriber-level permissions. The attacker can inject an SQL query using the shortcode, for example:

[best_slideshow_gallery id="1 OR 1=1 UNION SELECT @@version --"]

By using the shortcode above, the attacker will be able to extract sensitive information such as the WordPress database version. Depending on the attacker's knowledge of the database structure, other useful information can also be extracted.

Mitigation and Remediation

To mitigate and fix the vulnerability, it is highly recommended that users update to the latest version of the Up down image slideshow gallery plugin immediately. Plugin developers should implement proper input validation, escaping, and use prepared statements for SQL queries to prevent SQL injection attacks.

References

1. CVE-2023-5435: Up down image slideshow gallery WordPress plugin SQL Injection vulnerability - NVD
2. Up Down Image Slideshow Gallery WordPress Plugin Security Advisory
3. WordPress Plugin Vulnerabilities

Conclusion

It is essential to keep WordPress plugins up to date and to follow secure coding practices to prevent vulnerabilities like CVE-2023-5435. Regularly auditing and testing your website for potential security flaws can greatly reduce the risk of unauthorized access and information leaks. Always stay vigilant and apply security patches as they become available to ensure your website remains safe from potential attacks.

Timeline

Published on: 10/31/2023 09:15:08 UTC
Last modified on: 11/07/2023 04:24:00 UTC