CVE-2023-5466: WP Anything Slider Plugin for WordPress – A Dive into SQL Injection Vulnerability and Exploit Details

In recent times, CVE-2023-5466 caught the attention of the cybersecurity community and WordPress users. The vulnerability has been discovered in the WP Anything Slider Plugin, which is a popular plugin for adding customizable sliders to WordPress sites. Specifically, this vulnerability highlights an SQL injection issue found in versions up to, and including, 9.1 of the plugin. Due to insufficient escaping on the user-supplied parameter and lack of proper preparation on the existing SQL query, an authenticated attacker with subscriber-level permissions can exploit this vulnerability and extract sensitive information from the database.

In this in-depth post, we will examine the code snippet responsible for the vulnerability, original references, and exploit details for CVE-2023-5466.

Code Snippet

The crucial part of the plugin's code, which allows for SQL injection, is found in the shortcode.php file. Here is the vulnerable code snippet:

function wp_anything_slider_shortcode($attrs) {
  global $wpdb;
  extract(shortcode_atts(array(
    'id' => '',
  ), $attrs));
  
  if ($id != '') {
    $sql = "SELECT * FROM ".$wpdb->prefix."wp_anything_slider WHERE id=$id";
    $results = $wpdb->get_results($sql, 'ARRAY_A');
  }
  
  ...
}

In the code above, the function wp_anything_slider_shortcode accepts the user-supplied parameter "id" without properly escaping it. The parameter is then directly used in the SQL query, which makes the query susceptible to SQL injection attacks.

Original References

1. Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5466
2. WPVulnDB Vulnerability Listing: https://wpvulndb.com/vulnerabilities/17426

Exploit Details

To exploit this vulnerability, an attacker with subscriber-level permissions must inject additional SQL queries into the existing query. Here's an example of how the attack could be performed:

The attacker logs into their subscriber-level WordPress account.

2. In the post creation or editing section, the attacker inserts the following shortcode into the post content:

[wp_anything_slider id="1 UNION SELECT 1, user_login, user_pass, 4, 5, 6, 7, 8, 9 FROM wp_users WHERE id=1"]

3. Upon saving or previewing the post, the SQL query gets executed, and the attacker can extract sensitive information, such as the administrator's login credentials.

In the given example, the bold text represents the additional SQL query that has been appended to the original SQL query. This causes the database to return not only the slider information but also user login credentials, which are then displayed on the webpage containing the vulnerable shortcode.

Conclusion

To protect your WordPress site from this CVE-2023-5466 vulnerability, we highly recommend updating your WP Anything Slider Plugin to the latest version. This vulnerability draws attention to the importance of proper input validation and the need for following secure coding best practices.

If you're a developer, make sure to escape user-supplied inputs and use prepared statements when dealing with SQL queries to mitigate the risk of SQL injection attacks. Stay vigilant, and keep your website and its plugins updated to ensure the best security for your online presence.

Timeline

Published on: 11/22/2023 16:15:12 UTC
Last modified on: 11/28/2023 19:29:09 UTC