SQL Injection Discovered And Fixed In Slimstat Analytics and Paid Memberships Pro

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database.

If exploited, the vulnerability could grant attackers access to privileged information from affected sites’ databases (e.g., usernames and hashed passwords).

We reported the vulnerabilities to the plugin’s authors, and they recently released Slimstat Analytics version 4.9.3.3 and Paid Memberships Pro version 2.9.12 to address them. We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security.

Subscriber+ SQL Injection in Slimstat Analytics

// Init the database library with the appropriate filters
        if ( strpos ( $_content, 'WHERE:' ) !== false ) {
            $where = html_entity_decode( str_replace( 'WHERE:', '', $_content ), ENT_QUOTES, 'UTF-8' );
        }
        else{
            wp_slimstat_db::init( html_entity_decode( $_content, ENT_QUOTES, 'UTF-8' ) );
        }

        switch( $f ) {
            case 'count':
            case 'count-all':
                $output = wp_slimstat_db::count_records( $w, $where, strpos( $f, 'all') === false ) + $o;
                break;

The slimstat shortcode allows users to add some filtering logic in the form of SQL WHERE statements by looking for a “WHERE:” token inside the shortcode’s content. This functionality is a problem since, as we’ve reported in another vulnerability advisory before, any users logged onto a site, like subscribers, can render shortcodes in WordPress.

A proof of concept exploit for this vulnerability will be available on this vulnerability’s WPScan entry.

Subscriber+ SQL Injection in Paid Memberships Pro

if($hasaccess && !empty($delay))
    {        
        //okay, this post requires membership. start by getting the user's startdate
        if(!empty($levels))
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND membership_id IN(" . implode(",", array_map( 'esc_sql', $levels ) ) . ") AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";
        else
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";

While, at first sight, it may look like the `membership` shortcode properly escapes the $levels variable before concatenating it to an SQL query, the content it adds is not inserted in the context of a string. This effectively means an attacker can abuse that feature to inject SQL statements, so long as they don’t contain any quotes.

Since shortcodes can be rendered by any logged-in users, like subscribers, this enables low-privileged attackers to leak sensitive information from the database, like usernames and hashed passwords.

A proof of concept exploit for this vulnerability will be made available on this vulnerability’s WPScan entry.

Conclusion

We recommend that you check which version of the plugins your site is using, and if they are within the affected ranges, update them as soon as possible! 

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.

Credits

Original researcher: Marc Montpas

Thanks to the rest of the WPScan team for feedback, help, and corrections.