Login

Tag Archives: SQL Injection

11 Jun 2024

Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express

Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We don’t use the plugin, so the exploitation attempt appears to be part of an untargeted attempt to exploit this.

Upon reviewing the relevant code, we found that it still isn’t properly secured, and neither is other, similarly accessed, code. We have reached out to the developer about that. Based on the continued insecurity, we would recommend not using the plugin unless it has a more thorough security review and all the issues are addressed. [Read more]

10 Nov 2023

Developer of WP Fastest Cache Obliquely Discloses SQL Injection Vulnerability, Fix Isn’t Generally Available

Yesterday, the developer of the 1+ million install WordPress plugin WP Fastest Cache committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory that fixed a SQL injection vulnerability. Unfortunately, they haven’t released a new version of the plugin that makes the fix available to the public. If hackers haven’t already realized what is at issue, it shouldn’t take them long.

The commit message for the update was “Security Enhancements”, which suggests a vulnerability could have been fixed. Our machine learning (artificial intelligence (AI)) based system for catching fix vulnerabilities being fixed in updates to WordPress plugins flagged the change as fixing a vulnerability. Could hackers have a similar system? Who knows, but it isn’t too complicated to create what we have, so we wouldn’t want to be they don’t. [Read more]

17 Mar 2023

These Jetpack Security Features Won’t Protect Against the Unfixed SQL Injection Vulnerability They Disclosed

Yesterday, we wrote about how Automattic’s Jetpack has been telling people an authenticated SQL injection vulnerability had been fixed in a WordPress plugin, while the vulnerability still exists. In their post, they recommended that people update the plugin despite that not addressing the issue, but also to have an “established security solution” on their website:

We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security. [Read more]

17 Mar 2023

BBQ Firewall Also Fails to Prevent SQL Injection Attack

In November, we wrote about how reviews for a WordPress security plugin were claiming that it protected against SQL injection, but testing showed it didn’t. A new review for another plugin, BBQ Firewall, which we happened across, made the same claim:

This is the plugin I install on every WordPress installation. It protects site from SQL injection attacks and doesn’t have any settings. Just install and activate, wonderful! [Read more]

27 Feb 2023

Bleeping Computer’s Bill Toulas Spreads Common Misconception About Impact of SQL Injection Vulnerabilities in WordPress Plugins

We often see confusion over the potential impact of one type of vulnerability, SQL injection, that can exist in WordPress plugins. The confusion seems to stem in part from the name of the vulnerability, though that doesn’t explain it entirely. The SQL part refers to a SQL statement, a query being made of a database, but it is easy enough to think that refers to the database itself. With the misinterpretation, then this would refer to database injection, or injecting something into the database. Confusion over this was recently spread by a journalist not really doing journalism.

A recent Bleeping Computer story by Bill Toulas involved SQL injection vulnerabilities in three WordPress plugins. He accurately described what SQL injection is: [Read more]

15 Apr 2022

Vulnerability Details: SQL Injection in Photo Gallery

Last week a new version of the WordPress plugin Photo Gallery was released that had a couple of changelog entries indicating that vulnerabilities might have been fixed in it. As at least one of our customers was using the plugin, we took a look over the changes made and found they appeared to be duplicating existing security in places, which was confusing.

[Read more]

11 Sep 2019

If a Hacker Has Modified Your WordPress Website’s Database That Doesn’t Mean a SQL Injection Vulnerability Was Exploited

Among the many areas where there seems to be confusion over security when it comes to WordPress websites, and websites more broadly, is a type of vulnerability known as SQL injection. SQL is short for Structured Query Language, a language used for communicating with some databases. SQL injection involves injecting malicious code into SQL statements, causing code specified by the attacker to run against the database. What can be done through that depends on the specifics of the vulnerability, but in most instances with WordPress plugins all that can be done with that is to slowly read out the contents of the database. What often gets referred to as SQL injection, involves any changes being made to the database, which in recent history with WordPress plugins being exploited, almost never involves SQL injection.

One of the ways we keep up with vulnerabilities in WordPress plugins, so that we can warn customers of our service about any of them that impact them is by monitoring topics on the WordPress Support Forum related to them. These days though what we are usually finding though is that vulnerabilities we already warned our customers about are now being exploited. That was the case with an arbitrary file viewing vulnerability in the plugin Advanced Access Manager that we warned our customers about on the 5th when it was fixed. We rated the vulnerability as having a high likelihood of exploitation. Early on the 7th a topic was started on the forum that appears to be due to that vulnerability being exploited. [Read more]