WordPress.org

Ready to get started?Download WordPress

Forums

Username Changer
[resolved] SQL Injection Vulnerabilities (16 posts)

  1. robert_k
    Member
    Posted 1 year ago #

    This plugin could potentially be exploited by any member on a WordPress site. Use this plugin at your own risk. It works, but it isn't nearly secure enough.

    Firstly, no permission check is performed on the new page, just when outputting links. This isn't secure enough, as just about anyone who knows the plugin is installed can manually enter the link and then rename an administrator. This needs another current_user_can('edit_users') check.

    Secondly, because the author did not consistently use $wpdb->prepare() for his SQL there are several SQL injection vulnerabilities. I don't advise ever using esc_attr() on database input in place of proper SQL escaping; it can conceivably be bypassed. Anywhere that the plugin uses the $_REQUEST['id'] parameter the input is appended unfiltered to the end of a query. So just displaying the page you could essentially reset the password of an administrator to something you know, or perhaps all users, for just one example.

    If you are the author of this plugin: I've taken the time to secure this plugin for a project and have sanitized all SQL statements. I made a few tweaks for the sake of this project that you needn't carry over, but the security check and the SQL protection you really should carry over. You can download and compare my changes here. And if you incorporate my changes, please list me as a contributor: "Robert Kosek, Wood Street Inc".

    http://wordpress.org/extend/plugins/username-changer/

  2. lkraav
    Member
    Posted 1 year ago #

    Was this ever attended to?

  3. robert_k
    Member
    Posted 1 year ago #

    Ikraav, so far as I know this issue has not been attended to. The last release was 8 months ago, and this issue affects version 1.4 (the current as of writing, still).

    I included a download link with my security fixes because of the severity of this problem:
    http://www.woodst.com/clients/woodstreet/username-changer.zip

  4. lkraav
    Member
    Posted 1 year ago #

    OK thanks for caring. Your original message doesn't point out the version against which the report was made. I'll take a look at the diff of your version.

  5. garymgordon
    Member
    Posted 1 year ago #

    lkraav,

    I was curious if this issue was resolved. Please let me know.
    Gary

  6. SCNisHere
    Member
    Posted 1 year ago #

    I too am wondering. Thank you.

    Steve

  7. SCNisHere
    Member
    Posted 1 year ago #

    I too am wondering. Thank you.

    Steve

  8. robert_k
    Member
    Posted 1 year ago #

    Sorry guys, as far as I can tell the plugin owner never even attempted to contact me and has not dealt with the security issues I pointed out. The archive I posted has fixes for these security holes, but it isn't an official update for the plugin.

  9. rahul286
    Member
    Posted 1 year ago #

    @robert_k

    Why don't you fork this plugin?

  10. We (WordPress.org) reviewers are looking into the plugin. It will be disabled until it is fixed.

  11. Dan Griffiths
    Member
    Posted 1 year ago #

    I'd like to apologize for not catching this sooner. I never even noticed the open ticket until Pippin was kind enough to give me a nudge. I've learned a lot since originally releasing this plugin, so the V2.0.0 release I just pushed is a fairly major rewrite. I've also included the vulnerability patches provided by Robert, with my sincere thanks. Please let me know if there are any further issues!

  12. @ghost1227 Ping me when the update is pushed and I'll re-open the plugin.

  13. garymgordon
    Member
    Posted 1 year ago #

    Hi. Is the version at http://wordpress.org/support/plugin/username-changer good to use?

  14. Dan Griffiths
    Member
    Posted 1 year ago #

    Version 2.0.0 is the safe version.

  15. The plugin has been renabled and the problems have been fixed.

  16. Dan Griffiths
    Member
    Posted 1 year ago #

    Thanks for the quick re-approval Pippin!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic