New WordPress SQLi Vulnerability Uncovered

A new WordPress SQLi vulnerability has been discovered by security researchers in a WordPress core, it’s strongly recommended to update to version 4.8.3, the latest at the time of writing, if you haven’t done so already.

AppCheck had a plugin available in our scanner within hours of the vulnerability being disclosed (31/10/2017), the vulnerability exploits a flaw in the “$wpdb->prepare()” code in meta.php where by an attacker could take advantage of an SQL query being doubly prepared and manipulate the input.
example
$my_where = $wpdb->prepare(" WHERE foo = %s", "%s ");
$taint = [" OR 1=1 # ", 2, 3];
$my_query = $wpdb->prepare("SELECT * FROM something $my_where LIMIT %d, %d", $taint);

Results in
SELECT * FROM something WHERE foo = '' OR 1=1 # ' ' LIMIT 2, 3

In the above example the “%s” in the first prepare is replaced by another %s from an input which makes it through to the 2nd prepare statement that could handle user input and allow an attacker to perform SQL injection.

A full write up from the original researcher can be found here and the WordPress advisory notice here

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial