The popular Jquery Accordion Slideshow plugin for WordPress (versions up to, and including, 8.1) has been discovered to contain a critical vulnerability that could lead to SQL injection attacks. This vulnerability (CVE-2023-5464) is caused by insufficient data escaping on user-supplied parameters and inadequate preparation of existing SQL queries in the affected plugin. As a result, attackers with subscriber-level or higher permissions could exploit this vulnerability to append additional SQL queries into pre-existing ones and gain unauthorized access to sensitive information from the WordPress database.

In the affected plugin, the vulnerability occurs in the following code snippet

// plugin_shortcode.php
function jquery_accordion_slideshow_show_plugin( $atts ) {
    global $wpdb;
    extract( shortcode_atts( array (
        'gallery' => '1',
    ), $atts ) );

    // Bad Escaping and No Query Preparation
    $result = $wpdb->get_results( "SELECT * FROM $wpdb->posts WHERE post_type = 'vps_accordion_gallery' AND post_status = 'publish' AND post_content LIKE '%$gallery%' ORDER BY post_date DESC", OBJECT );
    ...
}

This code snippet from the plugin_shortcode.php file extracts a user-supplied parameter ($gallery) without proper escaping or validation. Consequently, an attacker could manipulate this parameter to inject an arbitrary SQL query into the existing query.

Original References

1. Official CVE Listing: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5464
2. Affected WordPress Plugin: https://wordpress.org/plugins/jquery-accordion-slideshow/
3. Vulnerability Report: https://vulnerability-lab.com/get_content.php?id=2203

Exploit Details

To demonstrate the exploitability of this flaw, let's assume an attacker is aware of the shortcode syntax used for the Jquery Accordion Slideshow plugin, and they manipulate the 'gallery' parameter as follows:

[accordionslideshow gallery="' UNION SELECT * FROM wp_users WHERE 1=1--"]

An authorized attacker can append this shortcode to any post or page where shortcodes are processed. Once the modified shortcode is executed, the appended SQL query will be combined with the existing query, and the result will expose sensitive user information from the wp_users table, including usernames, hashed passwords, and email addresses.

Mitigation

The developers of the Jquery Accordion Slideshow plugin have been notified about the vulnerability, and users are advised to update the plugin to the latest version as soon as it becomes available to patch this vulnerability. In the meantime, users should restrict access to lower-level user roles (like subscribers) and monitor any suspicious activity on their WordPress installations.

Conclusion

CVE-2023-5464 is a crucial vulnerability affecting the Jquery Accordion Slideshow plugin for WordPress. To ensure the security of your site and protect sensitive data, users should update the plugin to the latest available version as soon as it is released, or consider using an alternative plugin with similar functionality but without the associated security risks. Additionally, users should employ role-based access control and proactive monitoring to prevent unauthorized manipulation of user input.

Timeline

Published on: 10/31/2023 09:15:09 UTC
Last modified on: 11/07/2023 04:24:03 UTC