CVE-2023-6567 - Time-based SQL Injection in LearnPress WordPress Plugin (<= 4.2.5.7): Exploiting the 'order_by' parameter

LearnPress is a popular WordPress plugin used to build and manage online courses on a WordPress website. It was recently discovered that the plugin is vulnerable to time-based SQL Injection via the 'order_by' parameter. The vulnerability affects all versions up to and including 4.2.5.7, making it critical for users to update their plugin to the latest version. In this post, we will discuss the specifics of the vulnerability, share a code snippet demonstrating the exploit, and provide links to original references.

Vulnerability Details and Impact

The vulnerability exists because of insufficient escaping on the user-supplied 'order_by' parameter and lack of sufficient preparation on the existing SQL query in the LearnPress plugin. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries, which can then be used to extract sensitive information from the database.

Such SQL injections can lead to unauthorized access to sensitive data such as user credentials, personal information, and potentially grant the attacker access to the site's administration controls. Since LearnPress is designed to manage online courses, it could further be used to steal course materials and manipulate course data.

Code Snippet and Exploit Steps

The vulnerable code in the LearnPress plugin, located in the /includes/class-lp-courses.php file, handles the order_by parameter in the following manner:

$order_by = isset( $_REQUEST['order_by'] ) ? $_REQUEST['order_by'] : 'post_title';

Later, this value is concatenated directly into an SQL query

$sql = "SELECT * FROM {$wpdb->posts} WHERE post_type = 'lp_course' AND post_status = 'publish' ORDER BY {$order_by} {$order}";

An attacker can exploit this vulnerability by injecting a malicious payload into the 'order_by' parameter, like this:

example.com/?order_by=IF(SUBSTR((SELECT+password+FROM+wp_users+WHERE+ID=1),1,1)CHAR(49),BENCHMARK(200000,SHA1(1)),)

This URL payload would check whether the first character of the admin user's hashed password is 1 (CHAR(49)). If it is, the server will execute a time-consuming benchmarking operation to introduce a delay in the response, which the attacker can use to infer that the condition was true.

By repeating this experiment for different characters and positions in the hashed password, an attacker could obtain the full admin password hash and potentially crack it to gain unauthorized access to the site as an admin user.

Mitigation and Original References

The best mitigation for this vulnerability is to update the LearnPress plugin to version 4.2.5.8 or higher, where the vulnerability has been patched. Plugin developers should be vigilant in properly escaping and sanitizing user inputs to prevent potential SQL injections in their code.

For more information on this vulnerability and its discovery, you can refer to the following sources

- CVE-2023-6567
- WordPress LearnPress Plugin SQL Injection Vulnerability Disclosure

Conclusion

The LearnPress WordPress plugin suffers from a time-based SQL Injection vulnerability, which opens the door for attackers to obtain unauthorized access to sensitive data and potentially take control of the website. It is crucial for users to update their LearnPress plugin to the latest version and follow best practices for securing their WordPress installation. Developers, regardless of the platform, should be cautious with handling user input and adhere to secure coding practices to minimize the risk of exploits in their software.

Timeline

Published on: 01/11/2024 09:15:49 UTC
Last modified on: 01/17/2024 18:46:59 UTC