Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points

Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, including that four out of five were vulnerable in only one or both the ORDER and ORDER BY clauses.

In each case, vulnerabilities were responsibly disclosed to the respective vendors. At the time of writing one of the four had not yet been remediated and so will not be named here (but stay tuned for future posts). The other three (each with 10,000+ active installations) were:

1) Membership & Content Restriction - Paid Member Subscriptions < 2.4.2 -- the 'order' parameter was vulnerable in the 'Members' page search, while both 'order' and 'orderby' were vulnerable in the 'Payments' page search

2) WP Simple Booking Calendar <= 2.0.6 -- the 'orderby' parameter in the 'Search Calendars' action was vulnerable

3) Stop Bad Bots <= 6.59 -- the 'order' and 'orderby' parameters were vulnerable on three different pages

 

More Mostly Good News

Using ORDER or ORDER BY as an injection point presents some serious limitations for an attacker. Because these injection points do not support traditional data exfiltration constructs like UNION, a malicious user is typically restricted to basic yes/no answers to queries.

If numerous requests can be submitted, this can still be a practical way to extract high-value data. It does, however, mean that single malicious requests are mostly of little use.

 

Even More Mostly Good News

Another factor contributing to the lower severity of each of these vulnerabilities is that none were found to be exploitable with unauthenticated or low-privilege roles.

 

Notable Takeaways

1) Although often of lower concern, developers are reminded to not overlook these two potential injection points.

2) A common pattern with the vulnerabilities was that, although something like 'order' and 'orderby' request parameters were processed by the application on the server, these parameters were never actually sent by the client during normal, legitimate functionality.

It may be that these were cases of functionality that was formerly in active use, but that client code evolved to no longer submit those parameters.  Or, in at least a couple of cases, it could be that the parameters are indeed actively used in the 'Pro' version of the plugin.  In any case, it is a good reminder that anything resembling 'dead code' can be a point of vulnerability.

The related tip here is from a research perspective:  If a researcher's approach is to capture normal requests and then run a tool like sqlmap against only the parameters that are present in the normal request, some vulnerabilities like these will be missed.

3) It is fairly common to see attempted sanitization of the relevant parameters.  For example, the first of the three plugins listed above included this code which was then concatenated with additional content to produce an executed query:

$args['orderby'] = sanitize_text_field( $_REQUEST['orderby'] );
$args['order'] = sanitize_text_field( $_REQUEST['order'] );

Unfortunately, that particular sanitization function is ineffective for what is required here.  If using sanitization rather than prepared statements, be mindful of what sanitization a given function will actually do and whether it matches the sanitization that is needed.

The best way to avoid SQL Injection attacks is to use prepared statements. But, if using sanitization for ORDER and ORDER BY clauses, the best sanitization is to use a positive security model. For example, confirm that the ORDER parameter is exactly 'asc' or 'desc' and nothing else, and confirm that the ORDER BY parameter is exactly one of the column names expected.

 

References

TWSL2021-012: Vulnerabilities in WordPress Plugin Membership & Content Restriction - Paid Member Subscriptions
TWSL2021-013: Authenticated SQL Injection in WordPress Plugin Stop Bad Bots
TWSL2021-014: Authenticated SQL Injection in WordPress Plugin WP Simple Booking Calendar

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More