Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

WordPress security plugin Hide My WP addresses SQL injection, deactivation flaws

Hide My WP, a popular WordPress security plugin, contained a serious SQL injection (SQLi) vulnerability and a security flaw that enabled unauthenticated attackers to deactivate the software.

Now patched, the bugs were discovered by Dave Jong, CTO of WordPress-focused bug hunting platform Patchstack, during an audit of plugins on a customer’s website.

The SQLi “is pretty severe”, Jong told The Daily Swig. “It allows anyone to extract information from the database, it has no prerequisites. A tool such as SQLmap could easily exploit this vulnerability.”

The other vulnerability is less severe, “but could, under the right conditions, cause a malicious user to continue exploitation of a different vulnerability”, added Jong.

Both flaws are “very easy to exploit as they require no prerequisites”, he warned.

SQLi in SQLi defense software

Claiming more than 26,000 customers, Hide My WP hides WordPress installations from malicious hackers, spammers, and theme detectors by various means.

The plugin, which includes a feature that blocks SQLi and XSS attacks, itself contained an SQLi bug because of how the IP address was retrieved and used within SQL queries.

“The function hmwp_get_user_ip tries to retrieve the IP address from multiple headers, including IP address headers which can be spoofed by the user such as X-Forwarded-For,” reads a blog post published by Jong yesterday (November 24).

“By supplying a malicious payload in one of these IP address headers, it will be directly inserted into the SQL query which makes SQL injection possible.”

Reset token

Meanwhile, a reset token – hmwp_reset_token – “will be directly printed onto the screen which can then be used to deactivate the plugin in the file /wp-content/plugins/hide_my_wp/d.php (located in the root folder of the plugin),” explained Jong, adding the caveat that there must be a valid token with a non-empty value.

“Simply by visiting a URL such as /wp-admin/admin-ajax.php?die_message=new_admin&action=heartbeat we can make it display the reset token on the screen,” he added.

‘Positive news’

Jong said he discovered the vulnerability, notified the plugin’s developer, wpWave, and released a ‘virtual patch’ to premium Patchstack users on September 29.

On October 5, after wpWave failed to respond, he alerted Envato, which responded within minutes and promptly removed the plugin, temporarily, from its codecanyon.net marketplace.

Jong praised wpWave for rapidly addressing both flaws in Hide My WP version 6.2.4, released on October 26.

“I would like to stress that such security improvements should be covered as positive news for the [open source] ecosystem,” he said. “The fact that you haven’t heard about a vulnerability being fixed in some other plugins doesn’t mean the vulnerabilities aren’t there – but might mean they are just not addressed.”

Advertisement. Scroll to continue reading.

Patchstack’s CTO invited other researchers and developers to report any bugs found in WordPress plugins to Patchstack’s WordPress plugin-specific bounty program.

Source: https://portswigger.net/daily-swig/wordpress-security-plugin-hide-my-wp-addresses-sql-injection-deactivation-flaws

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO