{"id":16190,"date":"2019-08-28T17:40:08","date_gmt":"2019-08-29T01:40:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/28\/news-9932\/"},"modified":"2019-08-28T17:40:08","modified_gmt":"2019-08-29T01:40:08","slug":"news-9932","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/28\/news-9932\/","title":{"rendered":"Multiple WordPress Plugins SQL Injection Vulnerabilities"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Introduction<\/h2>\n<p>In July 2019, Fortinet\u2019s FortiGuard Labs discovered and reported nine SQL injection vulnerabilities in nine different popular WordPress plugins across a variety of categories, including advertisement, donation, gallery, forms, newsletter, and video player. These plugins are being actively used by hundreds of thousands of WordPress websites, with some of them ranked in the top position for their corresponding category.<\/p>\n<p>All discovered vulnerabilities have been assigned a FortiGuard Labs identity that includes details and corresponding CVE ID: <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-092\">FG-VD-19-092<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-094\">FG-VD-19-094<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-095\">FG-VD-19-095<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-096\">FG-VD-19-096<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-097\">FG-VD-19-097<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-098\">FG-VD-19-098<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-099\">FG-VD-19-099<\/a>, <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-101\">FG-VD-19-101<\/a> and <a href=\"https:\/\/fortiguard.com\/zeroday\/FG-VD-19-102\">FG-VD-19-102<\/a>.<\/p>\n<p>An interesting point is eight out of nine vulnerabilities were found with the same simple code pattern that made them vulnerable to a SQL injection. In spite of the potential for exploit, many developers simply do not carefully filter user-supplied data. And in this case, this happened despite WordPress Core\u2019s efforts, since they support various built-in methods to ensure that any user-supplied data is well-sanitized.<\/p>\n<p>In this blog post, we will go through the set of WordPress security mechanisms, analyze some of the discovered vulnerabilities, and explain the ways an attacker could exploit these vulnerabilities and how to prevent them \u2013 all from a developer\u2019s perspective.<\/p>\n<p>At the time of writing, all of the issues identified in this blog have been fixed and published by their respective vendors. Fortinet\u2019s FortiGuard Labs appreciates their quick responses and timely fixes.<\/p>\n<h2>Background<\/h2>\n<p>A SQL injection occurs when user input is used to construct a SQL query without being properly sanitized. Consider the following example:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1005120167.img.png\" alt=\"Figure 1:  Example of an SQL Query using WordPress\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1:  Example of an SQL Query using WordPress.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>At first glance, one would say this code is vulnerable to a SQL injection attack, since <b>$id<\/b> is retrieved from <b>$_GET<\/b> and passed into the SQL query without any sanitization. The good news is, in the latest version of WordPress, magic quotes are always added to <b>$_POST<\/b>\/<b>$_GET<\/b>\/<b>$_REQUEST<\/b>\/<b>$_COOKIE<\/b> by default <sup>[1]<\/sup>. This helps WordPress maintain consistency and provide the best possible security capabilities. Therefore, the above code is not actually vulnerable.<\/p>\n<p>Beside enforcing the adding of slashes to all input values, WordPress also provides several built-in sanitization and escape functions for cleaning user input and\/or securing output\u00a0<sup>[2]<\/sup>. Developers can use <b>sanitize_email()<\/b> to sanitize email addresses, or <b>sanitize_text_field()<\/b> to clean text field values, or <b>sanitize_sql_orderby()<\/b> to validate the SQL <b>ORDER BY<\/b> clauses, and more. Most common types of user input are covered by the WordPress <b>sanitize_*()<\/b> class of helper functions.<\/p>\n<p>Although WordPress Core is doing its best to help developers prevent common attacks caused by malformed user-input, bad coding practices and misusing escaping functions still lead to simple but critical vulnerabilities.<\/p>\n<h2>Analysis<\/h2>\n<h3>FG-VD-19-092 \u2013 SQL Injection in AdRotate Plugin through 5.2 for WordPress<\/h3>\n<p>This vulnerability is a classic SQL Injection which exists in the <b>AdRotate<\/b> plugin through v5.2, in both the FREE and PRO versions. The flaw can be spotted in <b>dashboard\/publisher\/adverts-edit.php<\/b>, at line 25.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_676169188.img.png\" alt=\"Figure 2:  The SELECT statement in adverts-edit.php is used for getting advertisements from the DB\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2:  The SELECT statement in adverts-edit.php is used for getting advertisements from the DB.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The variable <b>$ad_edit_id<\/b> is used to construct a SQL query. This variable is retrieved from <b>$_GET<\/b>, in the <b>adrotate_manage<\/b> function:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_308832105.img.png\" alt=\"Figure 3: $ad_edit_id is controllable by users.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: $ad_edit_id is controllable by users.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since <b>esc_attr<\/b> only escapes HTML attributes and <b>$ad_edit_id<\/b> is not escaped with double quotes in the SQL query, we can execute an arbitrary SQL statement by injecting payloads into <b>$ad_edit_id<\/b>.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1475866188.img.png\" alt=\"Figure 4: Leaky database version in AdRotate plugin 5.2\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Leaky database version in AdRotate plugin 5.2.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Although the management interface is only available for the Administrator role, a lack of a CSRF token makes it possible for unauthenticated attackers to remotely steal information, including session tokens, with a minimum user interaction by using this SQL injection vulnerability to cause a XSS:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1387857810.img.png\" alt=\"Figure 5: XSS caused by SQL Injection\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: XSS caused by SQL Injection.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The patch from the developers is simply adding quotes to <b>$ad_edit_id<\/b> in the query.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1731626679.img.png\" alt=\"Figure 6: AdRotate SQL injection vulnerability patch in version 5.3\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: AdRotate SQL injection vulnerability patch in version 5.3.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Timeline:<\/b><\/p>\n<ul>\n<li>Fortinet reported the vulnerability to AJDG Solutions on July 09, 2019.<\/li>\n<li>AJDG Solutions asked for more information and confirmed the vulnerability on July 10, 2019.<\/li>\n<li>AJDG Solutions released patch for the vulnerability on July 12, 2019.<\/li>\n<\/ul>\n<h3>FG-VD-19-099 \u2013 SQL Injection in NextGEN Gallery Plugin through 3.2.10 for WordPress<\/h3>\n<p><b>NextGEN Gallery<\/b> has been the industry\u2019s standard WordPress gallery plugin since 2007 and continues to enjoy over 1.5 million new downloads per year. It&#8217;s appeal is that it is easy to use for simple photo galleries, but powerful enough for the most demanding photographers, visual artists, and imaging professionals. At the time of writing, <b>NextGEN Gallery<\/b> has over 900,000 active installations and is the most popular plugin in the Gallery category <sup>[3]<\/sup>.<\/p>\n<p>The flaw happens in an AJAX API, which allows users to attach photos from galleries while writing posts.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_126290056.img.png\" alt=\"Figure 7: User-supplied input being processed in get_displayed_gallery_entities_action\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: User-supplied input being processed in get_displayed_gallery_entities_action.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The function <b>get_displayed_gallery_entities_action<\/b> in <b>modules\/attach_to_post\/package.module.attach_to_post.php<\/b> is responsible for showing photos in selected galleries. A keyed array param <b>displayed_gallery<\/b> is retrieved via the POST method to create a gallery object in line 119. Attributes of the object are escaped by the <b>esc_sql<\/b> helper function. Then <b>get_entities<\/b> is called in line 130, which leads us to the <b>get_entities<\/b> function in <b>modules\/nextgen_gallery_display\/package.module.nextgen_gallery_display.php.<\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1289431896.img.png\" alt=\"Figure 8: get_entities call a corresponding function based on a return request.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: get_entities call a corresponding function based on a return request.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Since the return request has a value of <b>both<\/b>, the <b>_get_image_entities<\/b> in line 832 is called.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1421957942.img.png\" alt=\"Figure 9: _get_image_entities gets all images in the displayed gallery\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: _get_image_entities gets all images in the displayed gallery.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This function basically prepares a query that returns all images in the displayed gallery. As you may have noticed in line 1041, it applies a sorting order procedure based on <b>$sort_by<\/b> and <b>$sort_direction<\/b>, which are retrieved from the created gallery object. Any authenticated user with permission to use <b>NextGEN Gallery <\/b>can manipulate the params to create this gallery object. Although all attributes of the object are escaped with <b>esc_sql<\/b>, in fact, attackers do not need to escape quotes to perform an SQL injection attack within the <b>ORDER BY<\/b> clause. Hence, <b>esc_sql<\/b> can\u2019t prevent the <b>NextGEN Gallery<\/b> from being exploited in this case.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1191394845.img.png\" alt=\"Figure 10: Blind-SQL injection in NextGEN Gallery. A true case returns all images in a selected gallery.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Blind-SQL injection in NextGEN Gallery. A true case returns all images in a selected gallery.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1021747658.img.png\" alt=\"Figure 11: Blind-SQL injection in a NextGEN Gallery. A false case will return an empty result.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11: Blind-SQL injection in a NextGEN Gallery. A false case will return an empty result.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The patch from the <b>Imagely<\/b> team works fine. By only allowing intended values in the <b>ORDER BY<\/b> clause, the query is safe.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_967862302.img.png\" alt=\"Figure 12: Imagely fixes the issue by whitelisting the sort values.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Imagely fixes the issue by whitelisting the sort values.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Timeline:<\/b><\/p>\n<ul>\n<li>Fortinet reported the vulnerability to Imagely on July 23, 2019.<\/li>\n<li>Imagely confirmed the vulnerability and released a patch within NextGEN Gallery 3.2.10 on July 24, 2019.<\/li>\n<li>Imagely released a patch within NextGEN Gallery\u00a03.2.11\u00a0to completely fix the issue on\u00a0August 27, 2019.<\/li>\n<\/ul>\n<p>Using the same pattern, I was able to discover seven more plugins that were also vulnerable to an SQL injection attack. One of them actually tried to whitelist the sort values, but failed to accomplish their goal because of a small coding mistake.<\/p>\n<h3>FG-VD-19-098 \u2013 SQL Injection in Impress Give Plugin through 2.5.0 for WordPress<\/h3>\n<p><b>Give<\/b> is the highest rated, most downloaded, and best supported donation plugin for WordPress<sup> [4]<\/sup>.<\/p>\n<p>The vulnerable code exists in the <b>get_order_query<\/b> function in <b>includes\/donors\/class-give-donors-query.php.<\/b><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1028068209.img.png\" alt=\"Figure 13: Vulnerable code in Give Plugin\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Vulnerable code in Give Plugin.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As the comment points out, the <b>get_order_query<\/b> tries to remove non-existing columns for the <b>ORDER BY<\/b> clause, and filter sort values by applying the <b>esc_sql<\/b> helper function. The removal does not work as expected because after a non-existing column is unset in line 467, an escaped value is reinserted in line 470. Many of us already know that <b>esc_sql<\/b> is not useful for preventing a SQL injection attack within the <b>ORDER BY<\/b> clause. Therefore, the constructed query is still vulnerable. The same Blind-SQL injection technique can be used to exploit this vulnerability.<\/p>\n<p>A simple 1-line patch from <b>Impress<\/b> team allows the filter to work as expected, which makes the query completely safe.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 14: Patch from Impress team for Give Plugin.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14: Patch from Impress team for Give Plugin.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Timeline:<\/b><\/p>\n<ul>\n<li>Fortinet reported the vulnerability on July 11, 2019<\/li>\n<li>Give replied the team is investigating the report on July 11, 2019<\/li>\n<li>Give confirmed the vulnerability and released patch on July 13, 2019. Give Team asked for a disclosure as near to August 11 as possible to give users as much time as possible to upgrade.<\/li>\n<\/ul>\n<p>Other vulnerabilities had the same vulnerable code pattern, and their patches are quite similar.<\/p>\n<h2>Recommendations<\/h2>\n<p>In this section, we will provide some recommendations to use when developing a WordPress plugin that should help prevent a SQL injection attack. The WordPress community has a useful and complete Handbook for plugin development <sup>[5]<\/sup>. As a developer, you should always follow WordPress coding standards and secure coding best practices. In addition, the following recommendations will not only help to prevent a SQL injection attack, but other vulnerabilities caused by malformed user-input as well:<\/p>\n<ul>\n<li>Never trust user-input. Always perform validations and sanitizations before or after using user-supplied data.<\/li>\n<li>If you are not sure whether the data is safe, apply whichever built-in sanitization functions best fit the data. For example, <b style=\"\">sanitize_sql_orderby()<\/b> will fix all of the discovered vulnerabilities outlined above.<\/li>\n<li>Instead of using <b style=\"\">esc_sql<\/b>, in 99% of cases you can use prepared statements.<\/li>\n<li>In those rare cases where you can\u2019t easily use a prepared statement, you can use <b style=\"\">esc_sql<\/b> with the escaped value placed inside quotes.<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>WordPress is the most dominant CMS, with <b>61.0%<\/b> of market share, which means that it is used in <b>34.3%<\/b> of all websites <sup>[6]<\/sup>. According to Wordfence, <b>52%<\/b> of related vulnerabilities reported were WordPress plugins <sup>[7]<\/sup>. These numbers indicate that targeting WordPress plugins is one of the most practical attack vectors for cybercriminals. SQL injection is not a new technique, but it always poses serious security threats to web applications and web servers. To avoid it, developers should always follow coding standards and secure coding best practices.<\/p>\n<p>For WordPress users, you should always keep WordPress and plugins up to date as well.<\/p>\n<p>If you are interested in this kind of assessment for your software or application, FortiGuard Labs provides a tailor-made vulnerability assessment and penetration testing service that can help you improve the security of your products. Check out <a href=\"https:\/\/fortiguard.com\/services\/pentesting\">https:\/\/fortiguard.com\/services\/pentesting<\/a> for more information.<\/p>\n<p>-== FortiGuard Lion Team ==-<\/p>\n<h2>Solution<\/h2>\n<p>Organizations using FortiWeb &#8211; Fortinet\u2019s Web Application Firewall, are already protected from these vulnerabilities with generic SQL injection detections. FortiGuard Labs also released the following IPS signatures, which cover all the vulnerabilities mentioned:<\/p>\n<p>WordPress.AJDGSolutions.AdRotate.SQL.Injection<br \/> WordPress.Adenion.Blog2Social.SQL.Injection<br \/> WordPress.Icegram.EmailSubscribers.SQL.Injection<br \/> WordPress.WPEverest.EverestForms.SQL.Injection<br \/> WordPress.FolioVision.FlowplayerVideoPlayer.SQL.Injection<br \/> WordPress.Impress.Give.SQL.Injection<br \/> WordPress.Imagely.NextGENGallery.SQL.Injection<br \/> WordPress.10Web.PhotoGallery.SQL.Injection<br \/> WordPress.Sygnoos.PopupBuilder.SQL.Injection<\/p>\n<h3><b>CVSS 3.0 Metrics:<\/b><\/h3>\n<p>FG-VD-19-092: Base Score 9.0, Critical severity<br \/> FG-VD-19-094: Base Score 9.0, Critical severity<br \/> FG-VD-19-095: Base Score 9.0, Critical severity<br \/> FG-VD-19-096: Base Score 9.0, Critical severity<br \/> FG-VD-19-097: Base Score 9.0, Critical severity<br \/> FG-VD-19-098: Base Score 9.0, Critical severity<br \/> FG-VD-19-099: Base Score 9.0, Critical severity<br \/> FG-VD-19-101: Base Score 9.0, Critical severity<br \/> FG-VD-19-102: Base Score 9.0, Critical severity<\/p>\n<h2>References<\/h2>\n<p>[1] WordPress, \u201cFunction Reference\/stripslashes_deep\u201d, <a href=\"https:\/\/codex.wordpress.org\/Function_Reference\/stripslashes_deep\">https:\/\/codex.wordpress.org\/Function_Reference\/stripslashes_deep<\/a> (27<sup>th<\/sup> Aug 2019)<br \/> [2] WordPress, \u201cValidating Sanitizing and Escaping User Data\u201d, <a href=\"https:\/\/codex.wordpress.org\/Validating_Sanitizing_and_Escaping_User_Data\" style=\"\">https:\/\/codex.wordpress.org\/Validating_Sanitizing_and_Escaping_User_Data<\/a> (27<sup>th<\/sup> Aug 2019)<br \/> [3] Imagely, \u201cWordPress Gallery Plugin \u2013 NextGEN Gallery\u201d, <a href=\"https:\/\/wordpress.org\/plugins\/nextgen-gallery\/\" style=\"\">https:\/\/wordpress.org\/plugins\/nextgen-gallery\/<\/a> (27<sup>th<\/sup> Aug 2019)<br \/> [4] Impress, \u201cGive &#8211; Donation Plugin and Fundraising Platform\u201d, <a href=\"https:\/\/wordpress.org\/plugins\/give\/\" style=\"\">https:\/\/wordpress.org\/plugins\/give\/<\/a> (27<sup>th<\/sup> Aug 2019)<br \/> [5] WordPress, \u201cPlugin Handbook\u201d, <a href=\"https:\/\/developer.wordpress.org\/plugins\/\" style=\"\">https:\/\/developer.wordpress.org\/plugins\/<\/a> (27<sup>th<\/sup> Aug 2019)<br \/> [6] W3Techs, \u201cUsage statistics and market share of WordPress\u201d, <a href=\"https:\/\/w3techs.com\/technologies\/details\/cm-wordpress\/all\/all\" style=\"\">https:\/\/w3techs.com\/technologies\/details\/cm-wordpress\/all\/all<\/a> (01 Aug 2019)<br \/> [7] Wordfence, \u201cHow Attackers Gain Access to WordPress Sites\u201d (2016), <a href=\"https:\/\/www.wordfence.com\/blog\/2016\/03\/attackers-gain-access-wordpress-sites\/\" style=\"\">https:\/\/www.wordfence.com\/blog\/2016\/03\/attackers-gain-access-wordpress-sites\/<\/a> (27<sup>th<\/sup> Aug 2019)\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/dIcZcLHPxYo\/wordpress-plugin-sql-injection-vulnerability.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/wordpress-plugin-sql-injection-vulnerability\/_jcr_content\/root\/responsivegrid\/image_1005120167.img.png\"\/><br \/>Learn more about the nine SQL injection vulnerabilities that FortiGuard Labs recently discovered in different popular WordPress plugins, and find out how to prevent them from being exploited.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/dIcZcLHPxYo&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16190","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16190"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16190\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16190"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}