WordPress Plugin Vulnerabilities

Pods 1.4.7 <= 2.5.1.1 - Blind SQL Injection

Description

Version/s Tested: 2.5.1.1 and previous

Description:

Pods is a popular custom content types and fields plugin for WordPress. In the PodsUI class, which is used to build Pods administration interfaces, the orderby SQL query is set via a GET variable, which was not properly sanitized.

Technical Description:

At approximately Line 859 of the PodsUI class an orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized. The PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.

Proof of Concept (PoC):

The following GET request will cause the SQL query to execute and sleep for 10 seconds if in any page that uses the PodsUI class:

http://local.dev/wp-admin/admin.php?page=pods-manage-<PODNAME>&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)

Which will generate the following SQL Query:

SELECT DISTINCT `t`.*
FROM `wp_pods_<PODNAME>` AS `t`
ORDER BY post_date,(select * from (select(sleep(10)))a), `t`.`name`, `t`.`id`
LIMIT 0, 25

<PODNAME> must be a valid Advanced Content Type Pod

Impact:

Complete compromise of the WordPress installation by an uny third-party that has access to an interface, front-end or back-end, created with PodsUI. Access to Pods Admin defaults to admin level user only, but can be changed. Custom interfaces created with PodsUI have access-levels determined on a per interface basis. They are often used to created interfaces with controlled, limited content editing capabilities.

Fix:

A security release 2.5.1.2 made a change as seen in this diff: https://github.com/pods-framework/pods/commit/7eda9c183a97cc6987624f8f05d02854142d493b/?diff=split to correct the problem. All affected branches have been patched on WordPress.org and Github.

Timeline:

March 14th 2015 Issue found via internal review. Release and disclosure delayed due to weekend timing and awaiting response from WordPress.org security team.
March 14th 2015 WordPress.org security team notified, requesting forced update. No response as of March 16th 2015.
March 16th 2015 New version and patches released.

Credits:
Vulnerability discovered and fixed by Scott Kingsley Clark, Lead Developer of Pods (Pods.io)

Affects Plugins

Plugin icon
pods
Fixed in 2.5.1.2

References

URL
http://pods.io/2015/03/16/important-security-disclosure/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Josh Pollock
Submitter website
http://pods.io
Submitter twitter
podsframework
Verified
No
WPVDB ID
398aef15-bea4-440d-8dae-3068c1668b39

Timeline

Publicly Published
2015-03-16 (about 11 years ago)
Added
2015-03-17 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2021-12-29
Title
Orange Form <= 1.0 - SQL Injection via CSRF
Published
2014-08-01
Title
ENL Newsletter 1.0.1 - wp-admin/admin.php enl-add-new Page id Parameter SQL Injection
Published
2025-02-12
Title
LTL Freight Quotes – FreightQuote Edition < 2.3.12 - Unauthenticated SQL Injection
Published
2022-11-07
Title
WP User Merger < 1.5.3 - Admin+ SQLi via ID
Published
2016-11-11
Title
Mini Cart Plugin 1.00.1 - Authenticated SQL Injection