HackerMalware AnalysisWordpress HackingWorld
Trending

Major WordPress plugins identified with critical SQL injection vulnerabilities

  • The vulnerable plugins are now patched by the respective vendors.
  • All nine vulnerabilities were given a CVSS score of 9.0 and rated with critical severity.

Nine different popular WordPress plugins were discovered and reported to contain different SQL injection vulnerabilities. These popular plugins belonged to various categories such as advertisements, donation, gallery, newsletter, etc., and are being widely used by many websites. Many of the website owners have also rated these plugins to the top position in the categories to which they belong.

Who discovered the vulnerabilities?

The vulnerabilities were discovered by security researchers from Fortinet’s FortiGuard Labs and were made public in a detailed report. All the identified vulnerabilities were assigned with a FortiGuard Labs CVE identity. The following are the list of the CVE ID with respect to the nine identified vulnerabilities.

FortiGuard rated all the listed vulnerabilities with a Base Score of 9.0 and mentioned that they fall under critical severity.

Both the Free and Pro versions of the popular plugins such as AdRotate, NextGen, Impress Give were affected. While most of the Vulnerabilities had the same code pattern FortiGuard researchers explained in detail about the three major vulnerabilities with CVEs FG-VD-19-098, FG-VD-19-099, and FG-VD-19-092.

How does SQL injection occur?

A SQL injection vulnerability occurs when user input is used to construct a SQL query without being properly sanitized. Interestingly, in this case, eight out of the nine identified vulnerabilities contained the same code pattern that made them vulnerable to SQL injection.

The FortiGuard report pointed out that, “In spite of the potential for exploit, many developers simply do not carefully filter user-supplied data. And in this case, this happened despite WordPress Core’s efforts, since they support various built-in methods to ensure that any user-supplied data is well-sanitized.”

Mitigation

At the time of writing this article, all these vulnerabilities were patched by the respective plugin owners after reporting by FortiGuard researchers. Hence, users are requested to download the patch for these plugins from the official owner’s sources.

Researchers’ Recommendations

“Although WordPress Core has taken all necessary steps to help developers prevent common attacks caused by malformed user-input, bad coding practices and misusing escaping functions still lead to simple but critical vulnerabilities,” said researchers. Considered as one of the dominant CMS platforms in the market, WordPress can be one of the most practical attack vectors for any cybercriminal. To avoid it, developers should strictly follow coding standards and maintain secure coding secure practices.

Did you like this?
Tip Ankush Gaikwad with Cryptocurrency

Donate Bitcoin to Ankush Gaikwad

Scan to Donate Bitcoin to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to Ankush Gaikwad

Scan to Donate Bitcoin Cash to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to Ankush Gaikwad

Scan to Donate Ethereum to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to Ankush Gaikwad

Scan to Donate Litecoin to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to Ankush Gaikwad

Scan to Donate Monero to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to Ankush Gaikwad

Scan to Donate ZCash to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some ZCash:
Our Score
Our Reader Score
[Total: 1 Average: 5]

Tags

Ankush Gaikwad

Software/web/App Developer and Cyber Security Investigator

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close
Open chat
1
Hello
Welcome to CYBRAIN INFOSEC
...you are chatting direct to Mr.Ancush Gaikwad (CTO).Feel free to share your query with him.
REGARDS
CYBRAIN INFOSEC

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

CYBRAIN INFOSEC will use the information you provide on this form to be in touch with you and to provide updates and marketing.