WordPress Photo Gallery Plugin SQL Injection Vulnerability
Overview:
WordPress is an open source, PHP-based Content Management System (CMS) that offers several features such as multiple users, editing, custom formatting of text and an architecture which supports plugins to further extend its functionality. Looking into the Photo Gallery plugin by 10Web. The plugin has 300,000 plus active installations. The plugin offers features to add responsive mobile-friendly photo galleries and albums to your xmlpost content.
A SQL injection vulnerability has been reported for the Photo Gallery plugin for WordPress. This vulnerability is due to improper input validation for the filter_tag parameter.
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. A successful attack may result in remote SQL command execution against the database on the target server.
CVE Reference:
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-1281.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
Technical Overview:
The vulnerability is due to the insufficient sanitization of the filter_tag parameter in the request to /wp-admin/admin-ajax.php when the action parameter is set to GalleryBox. When a request with action=GalleryBox is received by the server; the function get_image_rows_data() from photo-gallery/frontend/models/BWGModelGalleryBox.php is called. The function get_image_rows_data() checks for the presence of the filter_tag parameter. If the filter_tag parameter is present; then it parses each tag and stores the result into an array. This array of tags is used in the construction of the “where clause” SQL query. This SQL query is then executed using the wpdb->get_results() function to get an array of images. As a result, a maliciously crafted request with filter_tag parameter can be used to perform an SQL injection attack and extract sensitive information from the underlying database.
Triggering the Problem:
• The target system must have the vulnerable WordPress plugin installed and running.
• The attacker must have network connectivity to the affected ports.
Triggering Conditions:
The attacker sends a crafted HTTP request to the vulnerable server. The vulnerability is triggered when the server processes the request.
Attack Delivery:
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• HTTP
• HTTPS
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 2762 WordPress Photo Gallery plugin SQL Injection 3
Remediation Details:
The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product or apply the vendor supplied patch.
• Filtering attack traffic using the signature above.
The vendor has released the following patch regarding this vulnerability:
Vendor Advisory