CVE CyberSecurity Database News

CVE-2023-5465: Popup with Fancybox WordPress Plugin Vulnerable to SQL Injection Attacks

Poster -

A security issue has been discovered in the Popup with Fancybox plugin for WordPress, which allows an attacker to execute SQL Injection attacks. This vulnerability has been assigned the CVE identifier CVE-2023-5465. The vulnerability affects versions up to and including 3.5 of the plugin.

The vulnerability exists due to insufficient escaping on user-supplied parameters and poor preparation of existing SQL queries. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries. Such injections can be used to extract sensitive information from the website's database.

In this post, we will discuss the details of this vulnerability, provide a code snippet that demonstrates the issue, link to the original references, and outline the potential exploits that can be executed.

Code Snippet

The vulnerable code exists within the shortcode handler of the plugin. Below is a code snippet that demonstrates how the vulnerability can be exploited:

// Vulnerable code in popup-with-fancybox.php
function pwf_callback( $atts ){
    global $wpdb;
 	
    extract( shortcode_atts( array(
        'id' => '',
    ), $atts ) );
 
    $result = $wpdb->get_results("SELECT * FROM $wpdb->prefix" . "popup_with_fancybox_details WHERE id = '$id'");
    ...
}

In the above code, the $id parameter from the user-supplied shortcode is inserted directly into the SQL query without proper escaping or validation, making it possible to inject SQL queries.

Exploit Details

An attacker can exploit this vulnerability by submitting a malicious shortcode to a WordPress site that uses the Popup with Fancybox plugin, like this:

[popupwfancybox id="1' OR '1' = '1"]

This would result in the following SQL query being executed on the server

SELECT * FROM wp_popup_with_fancybox_details WHERE id = '1' OR '1' = '1'

As a result, the attacker would be able to retrieve all the data from the wp_popup_with_fancybox_details table.

Furthermore, if the attacker manages to chain multiple queries, they could potentially extract more sensitive information from the WordPress database, such as user credentials and other confidential details.

Mitigation

At the time of writing this post, the vulnerability has not been patched by the plugin developer. Therefore, it is advised to disable or remove the Popup with Fancybox plugin until a security update is released. Alternatively, users can implement proper input validation and escaping measures within their own code to protect against SQL injection attacks.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5465
- Exploit Database: https://www.exploit-db.com/exploits/CVE-2023-5465
- WordPress Plugin Vulnerability Database: https://wpvulndb.com/vulnerabilities/CVE-2023-5465

Conclusion

CVE-2023-5465 is a critical security vulnerability that affects the Popup with Fancybox plugin for WordPress, making it susceptible to SQL Injection attacks. To protect your website and secure your user's data, it is crucial to stay informed about such vulnerabilities, install security patches, and adapt best coding practices to prevent future attacks.

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/28/2023 19:29:22 UTC