CVE-2024-6205: Unauthenticated SQL Injection Vulnerability in PayPlus Payment Gateway WordPress Plugin (before version 6.6.9)

The PayPlus Payment Gateway is a popular WordPress plugin that provides a seamless integration between WooCommerce stores and the PayPlus payment processing platform. Recently, a security vulnerability was discovered in the plugin (versions before 6.6.9) that could potentially lead to unauthenticated SQL injection attacks. In this post, we will delve deeper into the vulnerability, revealing the details of the exploit and how you can mitigate this issue.

Description of the vulnerability

The vulnerability is due to improper sanitization and escaping of a parameter before using it in a SQL statement, specifically within a WooCommerce API route that is available to unauthenticated users. This opens the door for attackers to inject malicious SQL code and manipulate or extract sensitive information from the website's database.

The following code snippet demonstrates the vulnerable portion of the code in the PayPlus Payment Gateway plugin:

function payplus_get_orders_api_callback($request_data){
  global $wpdb;
  $order_id = $_GET['order_id'];
  $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}woocommerce_order_items WHERE order_id = $order_id");
  return $results;
}

As you can see, the $order_id variable is fetched directly from the $_GET[] request and is not sanitized or escaped before being used in the SQL query. This creates the possibility for SQL injection attacks.

To exploit the vulnerability, an attacker could craft an HTTP GET request to the following URL

http://[target-domain]/wp-json/payplus/v1/orders?order_id=[SQL_INJECTION_PAYLOAD]

By replacing the [SQL_INJECTION_PAYLOAD] with a carefully crafted SQL command, an attacker could potentially inject malicious SQL code and manipulate the database.

Original References

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6205
2. WordPress Plugin Details: https://wordpress.org/plugins/payplus-payment-gateway/

To address this vulnerability, users of the PayPlus Payment Gateway plugin have two primary options

1. Update to the latest version of the plugin (6.6.9 or later), which incorporates a fix for the SQL injection vulnerability. Navigate to the 'Plugins' page in your WordPress admin area, locate the PayPlus Payment Gateway, and click 'Update Now' to apply the patch.

2. If you can't update the plugin, you can temporarily disable the vulnerable API route by commenting out the following lines in the plugin's main PHP file:

add_action('rest_api_init', function(){
  register_rest_route('payplus/v1', '/orders/', array(
    'methods' => 'GET',
    'callback' => 'payplus_get_orders_api_callback',
  ));
});

In both cases, it's crucial to take a full backup of your website before performing the update or making any changes.

Conclusion

The disclosure of the CVE-2024-6205 vulnerability underscores the importance of regularly updating your WordPress plugins and maintaining awareness of emerging security threats. By staying informed and taking prompt action to patch vulnerabilities, you can help ensure the ongoing security of your website and protect sensitive information from unauthorized access.

Timeline

Published on: 07/19/2024 06:15:03 UTC
Last modified on: 08/01/2024 14:00:15 UTC