Unpatched WordPress plugins leave thousands of websites at risk

• A Tenable cybersecurity researcher found three plugins with SQL injection vulnerabilities and reported them to WordPress on 19 December 2022.
• WordPress acknowledged the reports for the vulnerabilities on 20 December 2022 and alerted the developers about the incident.
• The developers released patches between 21 December 2022 and 5 January 2023 and urged all of their users to update the plugins as soon as possible.

Joshua Martinelle from the Tenable security team discovered that three plugins were open to SQL injection attacks. The plugins, Paid Memberships Pro, Easy Digital Downloads, and Survey Marker have more than 150,000 active installations combined. The SQL injection vulnerability can allow attackers to modify or completely delete the websites. Shortly after Martinelle released proof-of-concept exploits for the vulnerabilities on 19 December 2022, developers fixed the vulnerabilities within weeks.

Vulnerabilities

The first vulnerability was found in Paid Memberships Pro. The unauthenticated SQL injection vulnerability is being tracked as CVE-2023-23488 and has a CVSSv3 score of 9.8. The vulnerability affects versions 2.9.8 and older. The plugin does not escape the ‘code’ parameter in the /pmpro/v1/order REST route before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability. The flaw was fixed in version 2.9.8.

Another vulnerability was found in Easy Digital Downloads plugin. This vulnerability has also a CVSSv3 score of 9.8 and it is being tracked as CVE-2023-23489. It affects versions 3.1.0.2. and 3.1.0.3. The plugin does not escape the ‘s’ parameter in the ‘edd_download_search’ action before using it in a SQL statement, leading to an unauthenticated SQL injection vulnerability. The vulnerable part of the code corresponds to the ‘edd_ajax_download_search()’ function of the ‘./includes/ajax-functions.php’ file. The developers released the fix with version 3.1.0.4.

The third vulnerability affects a plugin named Survey Maker. It has a CVSSv3 score of 8.8 and is being tracked as CVE-2023-23490. The vulnerability is affecting versions 3.1.2 and older. The plugin does not escape the ‘surveys_ids’ parameter in the ‘ays_surveys_export_json’ action before using it in a SQL statement, leading to an authenticated SQL injection vulnerability. The vulnerability requires the attacker to be authenticated but does not require administrator privileges, the following example uses an account with the ‘subscriber’ privilege level.