Home Cyber Crime WordPress security plugin Hide My WP addresses SQL injection, deactivation flaws

WordPress security plugin Hide My WP addresses SQL injection, deactivation flaws


Bugs deemed ‘very straightforward to use as they require no stipulations’

WordPress security plugin Hide My WP addresses SQL injection, deactivation flaws

Conceal My WP, a preferred WordPress safety plugin, contained a severe SQL injection (SQLi) vulnerability and a safety flaw that enabled unauthenticated attackers to deactivate the software program.

Now patched, the bugs have been found by Dave Jong, CTO of WordPress-focused bug searching platform Patchstack, throughout an audit of plugins on a buyer’s web site.

The SQLi “is fairly extreme”, Jong instructed The Day by day Swig. “It permits anybody to extract info from the database, it has no stipulations. A device similar to SQLmap may simply exploit this vulnerability.”

YOU MAY ALSO LIKE GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles

The opposite vulnerability is much less extreme, “however may, underneath the suitable situations, trigger a malicious consumer to proceed exploitation of a unique vulnerability”, added Jong.

Each flaws are “very straightforward to use as they require no stipulations”, he warned.

SQLi in SQLi protection software program

Claiming more than 26,000 customers, Conceal My WP hides WordPress installations from malicious hackers, spammers, and theme detectors by numerous means.

The plugin, which features a characteristic that blocks SQLi and XSS assaults, itself contained an SQLi bug due to how the IP tackle was retrieved and used inside SQL queries.

“The perform tries to retrieve the IP tackle from a number of headers, together with IP tackle headers which will be spoofed by the consumer similar to ,” reads a weblog submit revealed by Jong yesterday (November 24).

“By supplying a malicious payload in one among these IP tackle headers, will probably be immediately inserted into the SQL question which makes SQL injection doable.”

Reset token

In the meantime, a reset token – – “will likely be immediately printed onto the display which might then be used to deactivate the plugin within the file (situated within the root folder of the plugin),” defined Jong, including the caveat that there should be a sound token with a non-empty worth.

Read more of the latest WordPress security news

“Just by visiting a URL similar to we will make it show the reset token on the display,” he added.

‘Optimistic information’

Jong stated he found the vulnerability, notified the plugin’s developer, wpWave, and launched a ‘virtual patch’ to premium Patchstack customers on September 29.

On October 5, after wpWave failed to reply, he alerted Envato, which responded inside minutes and promptly eliminated the plugin, quickly, from its codecanyon.internet market.

Jong praised wpWave for quickly addressing each flaws in Conceal My WP model 6.2.4, launched on October 26.

“I wish to stress that such safety enhancements must be coated as constructive information for the [open source] ecosystem,” he stated. “The truth that you haven’t heard a few vulnerability being mounted in another plugins doesn’t imply the vulnerabilities aren’t there – however would possibly imply they’re simply not addressed.”

Patchstack’s CTO invited different researchers and builders to report any bugs present in WordPress plugins to Patchstack’s WordPress plugin-specific bounty program.

RECOMMENDED Interview: Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time

Source link