A newly discovered vulnerability (CVE-2023-5437) in the WP Fade In Text News plugin for WordPress has put users at risk. The issue is an SQL Injection vulnerability that affects versions up to, and including, 12. of the plugin. This flaw allows authenticated attackers with subscriber-level (and higher) permissions to inject arbitrary SQL queries. The SQL Injection can potentially grant the attacker access to sensitive information from the affected website’s database. The primary reason for this vulnerability is the insufficient escaping on a user-supplied parameter and the lack of adequate preparation in the existing SQL query.
This post will provide a detailed explanation of the vulnerability, a code snippet demonstrating the issue, and links to original references. It will also include possible steps to exploit the vulnerability and remedial measures that users can take.
Code Snippet
The vulnerable code snippet responsible for the SQL Injection is found within the plugin's shortcode, as shown below:
/* Short code, version 1. */
function FadeInTextNews($atts) {
...
$FadeInTextNews = $atts['width'];
...
$FadeInTextNews = $wpdb->get_results("SELECT * FROM $table_name where 1 = 1 $FadeInTextNews;");
...
}
add_shortcode('fadein-news', 'FadeInTextNews');
As visible in the snippet, the $FadeInTextNews variable is attacked directly from the user-supplied shortcode attributes without proper escaping. Consequently, an attacker could append additional SQL queries to extract sensitive data from the database.
Exploit Details
An attacker with subscriber-level (or higher) permissions can exploit this vulnerability by creating a new post or page on the affected WordPress site. Using the shortcode, they can add malicious SQL queries, as demonstrated below:
[fadein-news width=" and 1= UNION SELECT user_login, user_pass, user_email FROM wp_users;--"]
In this example, the injected SQL query retrieves sensitive user data, including login credentials and email addresses, from the wp_users table.
Original References
- The official WordPress plugin repository page for the vulnerable plugin: https://wordpress.org/plugins/wp-fadeindeals/
- The CVE entry (CVE-2023-5437) on the National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-5437
Remedial Measures
To protect themselves against this vulnerability, users of the WP Fade In Text News plugin should take the following steps:
1. Update the plugin to the latest version if the plugin's author releases a fixed version, as it can ensure the security issue is resolved.
2. Temporarily disable or remove the plugin from their WordPress site to mitigate the risk of exploitation.
Keep WordPress core and other plugins updated to protect against known vulnerabilities.
4. Utilize strong password policies and two-factor authentication (2FA) for secure user access to their websites.
Conclusion
The CVE-2023-5437 vulnerability demonstrates the importance of proper input validation and escaping within web applications, particularly WordPress plugins. It is crucial to update affected plugins and follow the best security practices to ensure the safety of your WordPress website.
Timeline
Published on: 10/31/2023 09:15:00 UTC
Last modified on: 11/07/2023 04:24:00 UTC