Custom 404 Pro < 3.8.1 – Multiple SQL Injection | CVE 2023-2032

Description

The plugin does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.

Proof of Concept

Unauthenticated SQLi in INSERT statement:

1. Create a WordPress site with a database using the `gbk` charset and `gbk_chinese_ci` collation. This is needed to bypass `wp_slash`. To do so, initialize the site with the following lines in `wp-config.php`:

define( 'DB_CHARSET', 'gbk' );
define( 'DB_COLLATE', 'gbk_chinese_ci' );

2. As an admin, visit Custom 404 Pro > Settings > General and set “Logging Status” to enabled. If this doesn't work (because of a bug), set it manually in the database by setting the `value` to 1 in the `logging_enabled` row of the `wp_custom_404_pro_options table`.

3. Run the following command against the test site, and see that it take ~10 seconds:

quote_str=`echo -n "xbfx27"` ; time curl -v -s -H "Referer: http://evil.com$quote_str, (SELECT(SLEEP(10))))#" http://test.site/fakepage

Background on bypassing `addslashes` based on character encoding: https://href.li/?https://shiflett.org/blog/2006/addslashes-versus-mysql-real-escape-string

---

Admin+ SQLi in ORDER BY:

1. As an admin, visit Custom 404 Pro > Settings > General and set “Logging Status” to enabled. If this doesn't work (because of a bug), set it manually in the database by setting the `value` to 1 in the `logging_enabled` row of the `wp_custom_404_pro_options table`.

2. Visit a non-existing page in order to add a log to the DB.

3. Visit the following path on the site and see that it takes some time: `/wp-admin/admin.php?page=c4p-main&order=%2C(SELECT(SLEEP(2)))&orderby=created`