CVE-2023-5439 - Wp Photo Text Slider 50 Plugin for WordPress SQL Injection Vulnerability

The Wp photo text slider 50 plugin for WordPress, designed to display your featured photos and text content in a beautiful sliding format, has been discovered to have a critical vulnerability that can be exploited by authenticated attackers with subscriber-level permissions. This vulnerability allows attackers to perform SQL Injection attacks and potentially access sensitive information from the affected website's database.

The SQL Injection vulnerability is found in versions up to and including 8. of the plugin. It stems from insufficient escaping of user-supplied parameters and lack of proper preparation of SQL queries. This blog post will discuss the details of this vulnerability, provide an example of how it can be exploited, and mention any known methods for mitigation or patching.

Original References

1. https://wordpress.org/plugins/wp-photo-text-slider-50/
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5439
3. https://wpvulndb.com/vulnerabilities/12402

Exploit Details

The vulnerability lies in the plugin's shortcode functionality. Shortcodes are used in WordPress to allow users to easily embed content, such as plugin features or media, into posts or pages. The Wp photo text slider 50 plugin utilizes shortcodes for users to display their sliding photo and text content, but the plugin fails to properly sanitize the user input supplied through the shortcode, allowing for SQL injection attacks to take place.

The following code snippet demonstrates the vulnerable code in the plugin (wp-photo-text-slider-50.php):

function wp_photo_text_slider_50_shortcode( $atts ) {
  extract( shortcode_atts( array(
    'count' => -1,
  ), $atts ) );
  
  $data = photo_text_slider_50_data($count);
  return $data;
}

In this code snippet, the plugin extracts the shortcode attribute named 'count,' which is user-supplied input, and passes it to the photo_text_slider_50_data() function without proper sanitization. This function is responsible for building and executing the SQL queries to retrieve content from the WordPress website's database.

The following code snippet is from the photo_text_slider_50_data() function, which shows the lack of proper input sanitization and SQL query preparation:

function photo_text_slider_50_data($count) {
  global $wpdb;
  $table = $wpdb->prefix . "wpts_50_database";
  $sql = "SELECT * FROM " . $table . " WHERE 1=1 ORDER BY wpts_order LIMIT " . $count . ";";
  $data = $wpdb->get_results($sql);
  return $data;
}

In this function, the user-supplied 'count' parameter is directly appended to the SQL query string without any escaping or validation. This allows attackers to inject malicious SQL code into the query, potentially exposing sensitive information in the website's database.

For example, an attacker with a subscriber-level account could create a WordPress post containing the following malicious shortcode, which could return sensitive information such as admin usernames and password hashes:

[wp_photo_text_slider_50 count="1; SELECT user_login, user_pass FROM wp_users WHERE id=1 -- "]

This would execute the appended SQL query, returning the targeted information to the attacker.

Mitigation and Patching

Updating the Wp photo text slider 50 plugin to version 8.1 or above should resolve this vulnerability, as it includes a patch to properly sanitize user input and prepare SQL queries. You can download the latest version of the plugin from the following link:

- https://wordpress.org/plugins/wp-photo-text-slider-50/

In the meantime, it is advised to temporarily disable the plugin or restrict subscriber-level users from creating new content, if possible, until it is properly patched and updated.

Conclusion

The Wp photo text slider 50 plugin for WordPress, versions up to and including 8., is vulnerable to SQL Injection attacks due to insufficient user input sanitization and improper SQL query preparation. Users with subscriber-level permissions can exploit this vulnerability to access sensitive information stored in the WordPress website's database. To avoid falling victim to this exploit, ensure that your plugin is updated to version 8.1 or above, and limit subscriber-level users' permissions until your site is secure.

Timeline

Published on: 10/31/2023 09:15:09 UTC
Last modified on: 11/07/2023 04:24:01 UTC