Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points

Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, including that four out of five were vulnerable in only one or both the ORDER and ORDER BY clauses.

In each case, vulnerabilities were responsibly disclosed to the respective vendors. At the time of writing one of the four had not yet been remediated and so will not be named here (but stay tuned for future posts). The other three (each with 10,000+ active installations) were:

1) Membership & Content Restriction - Paid Member Subscriptions < 2.4.2 -- the 'order' parameter was vulnerable in the 'Members' page search, while both 'order' and 'orderby' were vulnerable in the 'Payments' page search

2) WP Simple Booking Calendar <= 2.0.6 -- the 'orderby' parameter in the 'Search Calendars' action was vulnerable

3) Stop Bad Bots <= 6.59 -- the 'order' and 'orderby' parameters were vulnerable on three different pages


More Mostly Good News

Using ORDER or ORDER BY as an injection point presents some serious limitations for an attacker. Because these injection points do not support traditional data exfiltration constructs like UNION, a malicious user is typically restricted to basic yes/no answers to queries.

If numerous requests can be submitted, this can still be a practical way to extract high-value data. It does, however, mean that single malicious requests are mostly of little use.


Even More Mostly Good News

Another factor contributing to the lower severity of each of these vulnerabilities is that none were found to be exploitable with unauthenticated or low-privilege roles.


Notable Takeaways

1) Although often of lower concern, developers are reminded to not overlook these two potential injection points.

2) A common pattern with the vulnerabilities was that, although something like 'order' and 'orderby' request parameters were processed by the application on the server, these parameters were never actually sent by the client during normal, legitimate functionality.

It may be that these were cases of functionality that was formerly in active use, but that client code evolved to no longer submit those parameters.  Or, in at least a couple of cases, it could be that the parameters are indeed actively used in the 'Pro' version of the plugin.  In any case, it is a good reminder that anything resembling 'dead code' can be a point of vulnerability.

The related tip here is from a research perspective:  If a researcher's approach is to capture normal requests and then run a tool like sqlmap against only the parameters that are present in the normal request, some vulnerabilities like these will be missed.

3) It is fairly common to see attempted sanitization of the relevant parameters.  For example, the first of the three plugins listed above included this code which was then concatenated with additional content to produce an executed query:

$args['orderby'] = sanitize_text_field( $_REQUEST['orderby'] );
$args['order'] = sanitize_text_field( $_REQUEST['order'] );

Unfortunately, that particular sanitization function is ineffective for what is required here.  If using sanitization rather than prepared statements, be mindful of what sanitization a given function will actually do and whether it matches the sanitization that is needed.

The best way to avoid SQL Injection attacks is to use prepared statements. But, if using sanitization for ORDER and ORDER BY clauses, the best sanitization is to use a positive security model. For example, confirm that the ORDER parameter is exactly 'asc' or 'desc' and nothing else, and confirm that the ORDER BY parameter is exactly one of the column names expected.



TWSL2021-012: Vulnerabilities in WordPress Plugin Membership & Content Restriction - Paid Member Subscriptions
TWSL2021-013: Authenticated SQL Injection in WordPress Plugin Stop Bad Bots
TWSL2021-014: Authenticated SQL Injection in WordPress Plugin WP Simple Booking Calendar

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More