The User Control plugin gives administrators the possibility to disable user accounts in WordPress. Users whose accounts have been disabled cannot sign in to WordPress anymore. Unfortunately, the plugin has some serious vulnerabilites which anyone can use to perform SQL queries on the WordPress SQL database.
The plugin has been removed from the official WordPress plugin repository. If this plugin is installed on your WordPress installation, you should remove it ASAP.
The plugin contains the following code which is executed on every pageload:
if(isset($_POST['disable']))
{
foreach ( $_POST['users'] as $userid ) {
$wpdb->query("UPDATE ".$wpdb->prefix."usercontrol SET disable_status = 'disabled' WHERE ID = ".$wpdb->escape($userid));
}
}
if(isset($_POST['enable']))
{
foreach ( $_POST['users'] as $userid ) {
$wpdb->query("UPDATE ".$wpdb->prefix."usercontrol SET disable_status = 'enabled' WHERE ID = ".$wpdb->escape($userid));
}
}
This code is executed for logged-in users as well as anonymous users. There is no authentication necessary before that code is run.
Any website visitor can abuse this by sending an HTTP POST request with the variable disable=1
and users=1; /* some malicious SQL query statement here */
. The malicious SQL query will then be executed.
curl -X POST -d "disable=1&users=1%3B%20SELECT%20%2A%20FROM%20%60wp_options%60" http://localhost/
Adding && is_user_logged_in() to the if clause should prevent this from happening, unless I'm missing something.
EDIT: That's just quick thought. The check should also validate that the logged in user is an admin