Three popular WordPress plugins at once, with tens of thousands of active installations, were vulnerable to critical SQL injection issues. In addition, PoC exploits for these bugs are now publicly available.
Vulnerabilities were discovered by the company’s specialists tenable, who notified WordPress developers about them back in mid-December 2022, providing them with proof-of-concept exploits. Currently, plugin authors have already released patches to solve problems, so the researchers have revealed the technical details of the bugs found.
The first plugin vulnerable to SQL injection is Paid Membership Prodesigned to manage memberships and subscriptions, which is used by more than 100,000 sites.
“Plugin does not escape parameter code
in the REST path /pmpro/v1/order
before being used in a SQL statement, which leads to a vulnerability to unauthenticated SQL injections,” the researchers wrote.
The vulnerability is being tracked as CVE-2023-23488 (CVSS score 9.8, i.e. critical) and affects all plugin versions older than 2.9.8. The issue has been fixed with the release of version 2.9.8.
The second vulnerable plugin is Easy Digital Downloadsdesigned for e-commerce and selling digital files, with over 50,000 active installations.
“Plugin does not escape parameter s
V edd_download_search
before being used in a SQL statement, which leads to a vulnerability to unauthenticated SQL injection,” Tenable explains.
The vulnerability is being tracked as CVE-2023-23489 (also 9.8 on the CVSS scale) and affects all versions of the plugin older than 3.1.0.4 released before January 5, 2023.
Also Tenable found issue CVE-2023-23490 in the plugin Survey Marker used by 3,000 survey and research sites. The vulnerability received a CVSS score of 8.8, as an attacker must be authenticated (at least as a subscriber) in order to exploit the bug. Unfortunately, this condition can be easily met, since many sites allow visitors to register as members.
The vulnerability in the plugin was fixed with the release of version 3.1.2 at the end of December 2022.
Source: xaker.ru