Popular WordPress plugins identified with critical SQL injection vulnerabilities

• The vulnerable plugins are now patched by the respective vendors.
• All nine vulnerabilities were given a CVSS score of 9.0 and rated with critical severity.

Nine different popular WordPress plugins were discovered and reported to contain different SQL injection vulnerabilities. These popular plugins belonged to various categories such as advertisements, donation, gallery, newsletter, etc., and are being widely used by many websites. Many of the website owners have also rated these plugins to the top position in the categories to which they belong.

Who discovered the vulnerabilities?

The vulnerabilities were discovered by security researchers from Fortinet’s FortiGuard Labs and were made public in a detailed report. All the identified vulnerabilities were assigned with a FortiGuard Labs CVE identity. The following are the list of the CVE ID with respect to the nine identified vulnerabilities.

• CVE-2019-13570
• CVE-2019-13572
• CVE-2019-13569
• CVE-2019-13575
• CVE-2019-13573
• CVE-2019-13578
• CVE-2019-14314
• CVE-2019-14313
• CVE-2019-14695

FortiGuard rated all the listed vulnerabilities with a Base Score of 9.0 and mentioned that they fall under critical severity.

Both the Free and Pro versions of the popular plugins such as AdRotate, NextGen, Impress Give were affected. While most of the Vulnerabilities had the same code pattern FortiGuard researchers explained in detail about the three major vulnerabilities with CVEs FG-VD-19-098, FG-VD-19-099, and FG-VD-19-092.

How does SQL injection occur?

A SQL injection vulnerability occurs when user input is used to construct a SQL query without being properly sanitized. Interestingly, in this case, eight out of the nine identified vulnerabilities contained the same code pattern that made them vulnerable to SQL injection.

The FortiGuard report pointed out that, “In spite of the potential for exploit, many developers simply do not carefully filter user-supplied data. And in this case, this happened despite WordPress Core’s efforts, since they support various built-in methods to ensure that any user-supplied data is well-sanitized.”

Mitigation

At the time of writing this article, all these vulnerabilities were patched by the respective plugin owners after reporting by FortiGuard researchers. Hence, users are requested to download the patch for these plugins from the official owner's sources.

Researchers' Recommendations

“Although WordPress Core has taken all necessary steps to help developers prevent common attacks caused by malformed user-input, bad coding practices and misusing escaping functions still lead to simple but critical vulnerabilities,” said researchers. Considered as one of the dominant CMS platforms in the market, WordPress can be one of the most practical attack vectors for any cybercriminal. To avoid it, developers should strictly follow coding standards and maintain secure coding secure practices.