WP-Property - WordPress Powered Real Estate and Property Management
Plugin broken + vulnerable to sql injection!!! (3 posts)

  1. illbilly
    Posted 3 years ago #

    Running 1.36.0 we noticed that our importer was breaking. After looking at the php error log I was shocked to see that the plugin was failing to escape dynamically created SQL statement! Any property with a ' in the title was breaking the importer.

    WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Brand New Townhome Development'' at line 1 for query SELECT ID FROM wp_posts where post_title = 'Jackson's Brand New Townhome Development' ...

    This error occurs on line #4014 of \wp-content\plugins\wp-property\core\premium\class_wpp_property_import.php

    You can patch it by replacing line #4014 with

    $title = mysql_real_escape_string($data[$data['unique_id']][0]);
    $post_exists = $wpdb->get_var( "SELECT ID FROM ".$wpdb->posts." where {$data['unique_id']} = '{$title}' " );

    This bad coding not only spent our development team hours to track down and fix but it also open a huge hole to SQL injection in our Website!

    Don't believe me? Change the title of one of the properties in your import xml to

    '; update wp_posts set post_title='this plugin is bad' where 1=1;#

    run the import and see what happens.


  2. Maxim Peshkov
    Plugin Contributor

    Posted 3 years ago #

    Thank you for your feedback.
    We will have reviewed code and fixed potential security threats before next release.

  3. Denys Kostin
    Posted 3 years ago #

    That issue was fixed in WP-Property 1.36.1 and XML-Importer 3.2.7 versions. Please, update.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic