Security should always be a top priority for website owners, especially if the website is running on popular content management systems like WordPress. One of the most common vulnerabilities found in WordPress plugins is SQL injection. Recently, an SQL injection vulnerability in the NotificationX plugin for WordPress has been discovered. The vulnerability has been assigned the CVE identifier CVE-2024-1698. In this article, we'll discuss the details of the vulnerability, how it can be exploited, and what you should do to protect your website.

Vulnerability Details

The NotificationX plugin for WordPress is vulnerable to SQL Injection. This vulnerability affects versions up to, and including, 2.8.2 of the plugin. The vulnerability exists due to insufficient escaping on the user-supplied "type" parameter and lack of sufficient preparation on the existing SQL query. As a result, unauthenticated attackers can append additional SQL queries into already existing queries, which can lead to extraction of sensitive information from the database.

The vulnerable code snippet is as follows

...
$type = $_GET['type'];
$sql    = "SELECT * FROM {$wpdb->prefix}notificationx WHERE type = '$type' ORDER BY id DESC";
$results = $wpdb->get_results( $sql, ARRAY_A );
...

As we can see, the "type" parameter is not properly sanitized or escaped before being used in the SQL query, which makes it possible for an attacker to inject malicious SQL code.

Exploit

To exploit this vulnerability, an attacker can send a specially crafted request to the vulnerable URL with the "type" parameter containing their desired SQL query appended to the existing query. For example, the following request will allow an attacker to view all the user email addresses in the WordPress database:

http://example.com/wp-admin/admin-ajax.php?action=get_nx-entries&type=1'; UNION SELECT CONCAT_WS(':',user_email) FROM wp_users -- -

By sending this request, the attacker can access sensitive user information, such as email addresses and hashed passwords.

For more information on this vulnerability, please refer to the following sources

1. CVE-2024-1698 Official Entry
2. NotificationX Plugin Homepage
3. NotificationX Plugin Vulnerability Disclosure

Mitigation

If you are using the NotificationX plugin on your WordPress website, make sure you update to the latest version as soon as possible. At the time of writing this article, the latest version of the plugin is 2.8.3, which has addressed this security vulnerability. Additionally, it is crucial to ensure the rest of your WordPress installation, plugins, and themes are kept up-to-date to prevent hackers from exploiting known vulnerabilities.

Timeline

Published on: 02/27/2024 06:15:46 UTC
Last modified on: 02/27/2024 14:20:06 UTC