A SQL injection vulnerability has been discovered in versions before 4.3 of the WordPress Classifieds Plugin WordPress plugin. This vulnerability arises due to improper sanitization and escaping of some parameters when used in a SQL statement via an AJAX action, which is available to unauthenticated users and occurs when a specific premium module is active. This article will walk you through what the vulnerability is, how it can be exploited, and provide some sample code snippets illustrating the vulnerability and remediation steps.

Vulnerability Details

The WordPress Classifieds Plugin WordPress plugin is a popular plugin used to create classified advertisement websites on the WordPress platform. The vulnerability, identified as CVE-2022-3254, has the potential to allow an attacker to execute malicious SQL queries in the affected plugin's database. This could lead to unauthorized access to sensitive information, data manipulation, and potential compromise of the website.

The vulnerability stems from the lack of adequate input validation and sanitization on certain parameters before using them in a SQL query executed via an AJAX action. This AJAX action is available to unauthenticated users and is triggered only when a particular premium module is active. This leaves the affected websites susceptible to the exploit of this SQL injection vulnerability.

Exploit Details

To better understand the exploit and the vulnerability, let's examine a code snippet from the affected plugin. The following sample code demonstrates the vulnerability when handling user-supplied data in an unsanitized manner:

// vulnerable code in plugin classifieds-plugin/classifieds-plugin.php
function cp_search_by_location_ajax() {
  global $wpdb;

  $lat = $_POST['lat'];
  $lng = $_POST['lng'];

  // ... other code ...

  // Unsafe SQL query
  $sql = "SELECT * FROM {$wpdb->prefix}cp_ad_geocodes WHERE lat >= $min_lat AND lat <= $max_lat AND lng >= $min_lng AND lng <= $max_lng";
  $results = $wpdb->get_results($sql, OBJECT);

  // ... other code ...
}

In the code snippet above, the attacker-supplied values of $_POST['lat'] and $_POST['lng'] are not sanitized or validated, permitting an attacker to submit a specially crafted request to inject malicious SQL code into the query. This malicious code could allow an attacker to exploit the database of the affected website.

Mitigation

To fix this vulnerability, it is essential to sanitize and validate user input before using it in SQL queries. You can use WordPress's built-in functions such as esc_sql() or prepared statements to ensure that user-supplied data is safe to use in an SQL query. Here's an example of how to rewrite the vulnerable code to protect against the SQL injection vulnerability:

// Fixed code in plugin classifieds-plugin/classifieds-plugin.php
function cp_search_by_location_ajax() {
  global $wpdb;

  $lat = floatval($_POST['lat']);
  $lng = floatval($_POST['lng']);

  // ... other code ...

  // Safe SQL query using prepared statements
  $sql = $wpdb->prepare("SELECT * FROM {$wpdb->prefix}cp_ad_geocodes WHERE lat >= %f AND lat <= %f AND lng >= %f AND lng <= %f", $min_lat, $max_lat, $min_lng, $max_lng);
  $results = $wpdb->get_results($sql, OBJECT);

  // ... other code ...
}

In the above code snippet, we used floatval() to convert and sanitize the input data from the $_POST variables, and then we used the $wpdb->prepare() function to prepare a safe SQL query.

For users of the plugin, you should immediately update to the latest version (4.3 or later) to ensure that your website is protected from this vulnerability. You can follow the plugin's official documentation and changelog for more information on this update and other security improvements.

Original References

- CVE-2022-3254
- WordPress Classifieds Plugin WordPress Plugin Vulnerability

In conclusion, it is crucial to be diligent about input validation and sanitization to protect your website and user data from potential SQL injection vulnerabilities such as CVE-2022-3254. Regularly updating your software and plugins to their latest versions helps address known security issues and vulnerabilities, ensuring the security and stability of your website.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 13:58:00 UTC