CVE-2024-7651 - Unauthenticated SQL Injection Vulnerability in App Builder WordPress Plugin

Introduction:
A recent vulnerability (CVE-2024-7651) has been discovered in the App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress. This vulnerability is present in all versions up to, and including, 4.2.6, and unauthenticated attackers can exploit it to perform limited SQL Injection attacks. This post will provide an overview of the vulnerability, a code snippet demonstrating the issue, and links to original references for further information.

Details of Vulnerability

The App Builder WordPress plugin is vulnerable to limited SQL Injection attacks due to insufficient escaping on a user-supplied parameter ('app-builder-search') and lack of sufficient preparation on the existing SQL query. This vulnerability allows unauthenticated attackers to append additional SQL queries into already existing queries, which can be used to extract sensitive information from the database.

Here is an example of the vulnerable code within the App Builder WordPress plugin

function app_builder_search() {
  global $wpdb;
  $search = $_POST['app-builder-search'];
  $query = "SELECT * FROM {$wpdb->prefix}app_builder WHERE title LIKE '%$search%'";
  ...
}

In this code snippet, you can see that the $search variable is directly appended into the SQL query without any escaping or sanitization. This makes it vulnerable to SQL Injection attacks.

Exploit Details

An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing a payload in the 'app-builder-search' parameter. This payload can be designed to append additional malicious SQL queries to the existing query. Since the attacker does not need to be authenticated, the attack surface is much larger and easier to exploit.

For example, an attacker could send the following payload to extract sensitive information from the database: ' UNION SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'wordpress_db'--

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7651
2. Official WordPress Plugin Repository: https://wordpress.org/plugins/create-mobile-app-for-woocommerce
3. WPScan Vulnerability Database: https://wpscan.com/vulnerability/8a133509-b72e-4ffd-bb43-494e9e4d2a40

Mitigation and Conclusion

Users of the App Builder – Create Native Android & iOS Apps On The Flight WordPress plugin are advised to update their plugin to version 4.2.7 or later to address this vulnerability. Additionally, users should ensure that their WordPress installation and all other plugins are up to date to minimize the risk of future vulnerabilities being exploited.

Timeline

Published on: 08/21/2024 06:15:12 UTC
Last modified on: 08/31/2024 03:28:02 UTC