Support » Plugin: WP-PostRatings » Hack Attach and Vulnerability

  • Resolved g008888



    Most likely there was a hack attach on my site through your plugin the day before yesterday. The hacker tried to mess up with the rating settings and etc.

    Some how he also changed the font into italics for the front page and posts.

    A friend of mined dug into this and found that there were similar issue happening before? Want to seek your input. Thanks a lot.

    Hey, I think I found the exploit. It’s noted here: There appears to be an SQL injection vulnerability in the wp-postratings plugin – I’ll do my best to explain it. Basically, when you make a query against a MySQL database, it could look something like this: SELECT * FROM your_table WHERE id=1, meaning give me the information in the database from the item who’s id number is 1. Often times, websites grab parameters from the URL to query against a database. For example, if you go to google and search “hacks”, you’ll wind up at: The q represents query. Instead of going to the home page and typing in hacks, you can alter the url to search for “SQL” by going directly to: The vulnerability known as SQL injection is when someone takes advantage of this to alter a query. Looking at the original query I showed you, SELECT * FROM your_table WHERE id=1, if I were to type in 1 OR 1==1, the query can be interepreted as SELECT * FROM your_table WHERE id=1 OR 1==1. Since 1 always equals 1, it’s going to return all the tables. If the input is properly sanitized, the query should be SELECT * FROM your_table WHERE id="1 OR 1==1", where the input is seen as a single statement, as opposed to an expansion of the query. This is is the basis for SQL injection. This is commonly used to, for example, steal banking or other sensitive information. However, instead of trying to STEAL information, your attacker injected code. What I think happened was this. The WordPress plugin he exploited takes some voting input and expects a number or a name. The PHP and SQL statement to insert it into the database might look like this: $p = ‘SOME INPUT’; $statement = INSERT $p INTO some_table Then, the input is rendered on your page, like so: <p>Here, we have the SOME INPUT</p> Though ‘SOME INPUT’ would typically represent a number. Instead of following the usual voting protocol, he edited his input to be HTML, like this: $p = ‘<i>SOME HTML HERE</i>’ $statement = INSERT $p INTO some_table Then, when it gets displayed to your visitors, the HTML is rendered, when it should be escaped, which is two vulnerabilities – on the way in and on the way out. I dug through your HTML, it appears he didn’t close an tag, which italicizes fonts. It appears other people were hacked in the same way using the same plugin, as shown here:

Viewing 1 replies (of 1 total)
  • Plugin Author Lester Chan


    That has been fixed 3 years ago, unless you are running an outdated plugin. The current version does not have any exploit that I know off.

    Any SQL injection can happen to any plugin not just mine. They may choose to exploit other plugins to gain access and mess with the ratings.

Viewing 1 replies (of 1 total)
  • The topic ‘Hack Attach and Vulnerability’ is closed to new replies.