CVE-2023-5336: iPanorama 360 – WordPress Virtual Tour Builder Plugin, SQL Injection Vulnerability

The iPanorama 360 – WordPress Virtual Tour Builder plugin is a widely-used plugin for integrating interactive 360-degree virtual tours on WordPress websites. Unfortunately, the plugin in versions up to, and including, 1.8. has been found vulnerable to SQL Injection. This issue allows authenticated attackers with contributor-level and above permissions to inject malicious SQL queries into existing queries, thus compromising sensitive information stored within the database. In this post, we will discuss the details of this vulnerability, its potential impact, and possible mitigation strategies.

Vulnerability Details (CVE-2023-5336)

The issue stems from the improper handling of user-supplied input within the plugin's shortcode, which results in a lack of adequate escaping on the supplied parameters. Furthermore, the existing SQL query does not ensure sufficient preparation to avoid the executing of arbitrary SQL queries.

The vulnerable code snippet is as follows

// ipanorama.php line 168
public function shortcode( $atts ) {
    global $wpdb;
    $id = intval( $atts['id'] );
    $table_name = $wpdb->prefix . "ip360_info";
    $info = $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A );
    ...
}

As seen in the code snippet above, the $id parameter is directly derived from user-supplied input without any validation or escaping. This allows a malicious user to append additional SQL commands to the existing query.

Exploit Scenario

An attacker with contributor-level access to the WordPress site can exploit this vulnerability to craft a malicious shortcode that will permit the execution of arbitrary SQL queries. This can ultimately lead to the extraction of sensitive information, such as user credentials, and could also allow the attacker to gain administrative access thereby compromising the website.

Original References

- NVD - CVE-2023-5336
- WPVulnDB - iPanorama 360 1.8. - SQL Injection

Mitigation

As of now, the plugin developers have not released an updated version to address this issue. Therefore, users are advised to take the following steps:

1. Disable and remove the iPanorama 360 – WordPress Virtual Tour Builder plugin if possible or search for alternative plugins with similar functionality.
2. In case the plugin is critical to the website's functionality, restrict its access only to trusted users with appropriate permissions. Regularly monitor activity logs for signs of unauthorized access or malicious activity.
3. Employ strong and unique passwords for WordPress accounts, particularly for users with elevated privileges.

Conclusion

The iPanorama 360 – WordPress Virtual Tour Builder plugin in versions up to, and including, 1.8. is vulnerable to SQL Injection due to insufficient escaping of user-supplied input and lack of proper preparation of SQL queries. To safeguard against this vulnerability and protect sensitive information, it is imperative for users to either remove the plugin or employ stringent security measures to limit its accessibility.

Timeline

Published on: 10/19/2023 02:15:07 UTC
Last modified on: 11/07/2023 04:23:55 UTC