Hide My WP, a popular WordPress security plugin, contained a serious SQL injection (SQLi) vulnerability and a security flaw that enabled unauthenticated attackers to deactivate the software.
Now patched, the bugs were discovered by Dave Jong, CTO of WordPress-focused bug hunting platform Patchstack, during an audit of plugins on a customer’s website.
The SQLi “is pretty severe”, Jong told The Daily Swig. “It allows anyone to extract information from the database, it has no prerequisites. A tool such as SQLmap could easily exploit this vulnerability.”
The other vulnerability is less severe, “but could, under the right conditions, cause a malicious user to continue exploitation of a different vulnerability”, added Jong.
Both flaws are “very easy to exploit as they require no prerequisites”, he warned.
SQLi in SQLi defense software
Claiming more than 26,000 customers, Hide My WP hides WordPress installations from malicious hackers, spammers, and theme detectors by various means.
The plugin, which includes a feature that blocks SQLi and XSS attacks, itself contained an SQLi bug because of how the IP address was retrieved and used within SQL queries.
“The function hmwp_get_user_ip tries to retrieve the IP address from multiple headers, including IP address headers which can be spoofed by the user such as X-Forwarded-For,” reads a blog post published by Jong yesterday (November 24).
“By supplying a malicious payload in one of these IP address headers, it will be directly inserted into the SQL query which makes SQL injection possible.”
Reset token
Meanwhile, a reset token – hmwp_reset_token – “will be directly printed onto the screen which can then be used to deactivate the plugin in the file /wp-content/plugins/hide_my_wp/d.php (located in the root folder of the plugin),” explained Jong, adding the caveat that there must be a valid token with a non-empty value.
“Simply by visiting a URL such as /wp-admin/admin-ajax.php?die_message=new_admin&action=heartbeat we can make it display the reset token on the screen,” he added.
‘Positive news’
Jong said he discovered the vulnerability, notified the plugin’s developer, wpWave, and released a ‘virtual patch’ to premium Patchstack users on September 29.
On October 5, after wpWave failed to respond, he alerted Envato, which responded within minutes and promptly removed the plugin, temporarily, from its codecanyon.net marketplace.
Jong praised wpWave for rapidly addressing both flaws in Hide My WP version 6.2.4, released on October 26.
“I would like to stress that such security improvements should be covered as positive news for the [open source] ecosystem,” he said. “The fact that you haven’t heard about a vulnerability being fixed in some other plugins doesn’t mean the vulnerabilities aren’t there – but might mean they are just not addressed.”
Patchstack’s CTO invited other researchers and developers to report any bugs found in WordPress plugins to Patchstack’s WordPress plugin-specific bounty program.