WordPress Plugin Vulnerabilities
Custom 404 Pro < 3.8.1 - Multiple SQL Injection
Description
The plugin does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.
Proof of Concept
Unauthenticated SQLi in INSERT statement: 1. Create a WordPress site with a database using the `gbk` charset and `gbk_chinese_ci` collation. This is needed to bypass `wp_slash`. To do so, initialize the site with the following lines in `wp-config.php`: define( 'DB_CHARSET', 'gbk' ); define( 'DB_COLLATE', 'gbk_chinese_ci' ); 2. As an admin, visit Custom 404 Pro > Settings > General and set “Logging Status” to enabled. If this doesn't work (because of a bug), set it manually in the database by setting the `value` to 1 in the `logging_enabled` row of the `wp_custom_404_pro_options table`. 3. Run the following command against the test site, and see that it take ~10 seconds: quote_str=`echo -n "xbfx27"` ; time curl -v -s -H "Referer: http://evil.com$quote_str, (SELECT(SLEEP(10))))#" http://test.site/fakepage Background on bypassing `addslashes` based on character encoding: https://href.li/?https://shiflett.org/blog/2006/addslashes-versus-mysql-real-escape-string --- Admin+ SQLi in ORDER BY: 1. As an admin, visit Custom 404 Pro > Settings > General and set “Logging Status” to enabled. If this doesn't work (because of a bug), set it manually in the database by setting the `value` to 1 in the `logging_enabled` row of the `wp_custom_404_pro_options table`. 2. Visit a non-existing page in order to add a log to the DB. 3. Visit the following path on the site and see that it takes some time: `/wp-admin/admin.php?page=c4p-main&order=%2C(SELECT(SLEEP(2)))&orderby=created`
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-06-05 (about 11 months ago)
Added
2023-06-05 (about 11 months ago)
Last Updated
2023-06-05 (about 11 months ago)