120,000 WordPress websites vulnerable due to SQL injection leak in plugin

Blog  — Tue 27 Feb 2024

Around February 24, it was discovered that the WordPress plugin Ultimate Member is vulnerable. The vulnerability involves an attack vector through SQL injection. The latest update of this plugin, version 2.8.3, fixes this vulnerability. However, it appears that many websites have not yet installed this update.

What is SQL injection?

SQL stands for Structured Query Language. This term is well known in relation to databases, especially web databases like MySQL or its variant called MariaDB. SQL injection can occur if the software developer is not cautious.

In short, it involves a database executing commands. For example, to store a first and last name. This instruction naturally consists of the first and last name, but also the command to store them in the database. However, a database can also execute other commands, such as displaying or deleting data.

SQL injection exploits knowledge of database commands. It manipulates the data in such a way that it does not execute the intended command, but adds extra commands. This allows a malicious actor to steal, add, or destroy data.

Applying SQL injection concretely

For programmers, I'd like to provide a concrete example of SQL injection using PHP. Consider the following database command:

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

By changing the variables $username and/or $password, SQL injection can occur. Suppose $password is not the correct password, but as follows:

' OR '1'='1

By adding this extra apostrophe at the beginning, the variable can be interrupted and the attacker can influence the command. The query becomes:

SELECT * FROM users WHERE username='$username' AND password='' OR '1'='1'

Because '1' is always equal to '1', this query will always be true, regardless of which password is entered. This allows an attacker to log in to the system without valid credentials, as the query will always find a match.

Preventing SQL injection effectively

What makes this situation remarkable is that SQL injection can be prevented. Since PHP version 5.1.0 on November 24, 2005, it has been possible to use PDO (PHP Data Objects). PDO allows the use of so-called "Prepared Statements". This prevents malicious actors from injecting data into database queries in a harmful way.

Simply put, in the previous example, $password can no longer be interrupted to subsequently modify the database command. With prepared statements, even an extra apostrophe will still be seen as part of the password.

Why does SQL injection persist in 2024?

SQL injection remains in the top 10 of most common vulnerabilities according to OWASP in 2024, despite available solutions such as PDO for PHP. This is due to two reasons. Firstly, there is a large group of inexperienced and often cheaper programmers.

Secondly, the use of PDO is not mandatory, allowing programmers to still include data directly in the query. This can be done safely, but requires expertise to prevent input from random users or malicious actors from ending up in vulnerable queries.

What should I do?

If you use the "Ultimate Member" plugin for WordPress, it is advisable to update to version 2.8.3 or higher to fix the vulnerability. Additionally, it is wise to consider whether it is acceptable to continue using such a plugin. As discussed earlier, SQL injection is a well-known problem for which a solution has been available for decades. Such a problem should not occur in 2024 if the developer has sufficient expertise.

Finding robust and secure (custom) plugins for WordPress is a matter of finding the right partner.