Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, including that four out of five were vulnerable in only one or both the ORDER and ORDER BY clauses.
In each case, vulnerabilities were responsibly disclosed to the respective vendors. At the time of writing one of the four had not yet been remediated and so will not be named here (but stay tuned for future posts). The other three (each with 10,000+ active installations) were:
1) Membership & Content Restriction - Paid Member Subscriptions < 2.4.2 -- the 'order' parameter was vulnerable in the 'Members' page search, while both 'order' and 'orderby' were vulnerable in the 'Payments' page search
2) WP Simple Booking Calendar <= 2.0.6 -- the 'orderby' parameter in the 'Search Calendars' action was vulnerable
3) Stop Bad Bots <= 6.59 -- the 'order' and 'orderby' parameters were vulnerable on three different pages
More Mostly Good News
Using ORDER or ORDER BY as an injection point presents some serious limitations for an attacker. Because these injection points do not support traditional data exfiltration constructs like UNION, a malicious user is typically restricted to basic yes/no answers to queries.
If numerous requests can be submitted, this can still be a practical way to extract high-value data. It does, however, mean that single malicious requests are mostly of little use.
Even More Mostly Good News
Another factor contributing to the lower severity of each of these vulnerabilities is that none were found to be exploitable with unauthenticated or low-privilege roles.
Notable Takeaways
1) Although often of lower concern, developers are reminded to not overlook these two potential injection points.
2) A common pattern with the vulnerabilities was that, although something like 'order' and 'orderby' request parameters were processed by the application on the server, these parameters were never actually sent by the client during normal, legitimate functionality.
It may be that these were cases of functionality that was formerly in active use, but that client code evolved to no longer submit those parameters. Or, in at least a couple of cases, it could be that the parameters are indeed actively used in the 'Pro' version of the plugin. In any case, it is a good reminder that anything resembling 'dead code' can be a point of vulnerability.
The related tip here is from a research perspective: If a researcher's approach is to capture normal requests and then run a tool like sqlmap against only the parameters that are present in the normal request, some vulnerabilities like these will be missed.
3) It is fairly common to see attempted sanitization of the relevant parameters. For example, the first of the three plugins listed above included this code which was then concatenated with additional content to produce an executed query:
$args['orderby'] = sanitize_text_field( $_REQUEST['orderby'] );
$args['order'] = sanitize_text_field( $_REQUEST['order'] );
Unfortunately, that particular sanitization function is ineffective for what is required here. If using sanitization rather than prepared statements, be mindful of what sanitization a given function will actually do and whether it matches the sanitization that is needed.
The best way to avoid SQL Injection attacks is to use prepared statements. But, if using sanitization for ORDER and ORDER BY clauses, the best sanitization is to use a positive security model. For example, confirm that the ORDER parameter is exactly 'asc' or 'desc' and nothing else, and confirm that the ORDER BY parameter is exactly one of the column names expected.
References
TWSL2021-012: Vulnerabilities in WordPress Plugin Membership & Content Restriction - Paid Member Subscriptions
TWSL2021-013: Authenticated SQL Injection in WordPress Plugin Stop Bad Bots
TWSL2021-014: Authenticated SQL Injection in WordPress Plugin WP Simple Booking Calendar