Support » Plugin: User Activity Log » Plugin possibly vunerable to SQL injection

  • Resolved jakdaniel5

    (@jakdaniel5)


    The plugin does not correctly prepare the data before posting it to the database.

    In my apache error log I noticed this (I have replaced personal data with xx s:

    WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'xx@xx.org.uk', '185.73.xx.xx', '2018-07-26 12:47:03', ' at line 1 for query INSERT INTO wp_ualp_user_activity (post_id,post_title,user_id, user_name, user_role, user_email, ip_address, modified_date, object_type, action) VALUES ('1843','','41', 'xx xx', 'Subscriber, Participant, Volunteer Network Member','xx'xx@xx.org.uk', '185.73.xx.xx', '2018-07-26 12:47:03', 'reply', 'reply updated') made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, bbp_template_redirect, do_action('bbp_template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, bbp_post_request, do_action('bbp_post_request'), WP_Hook->do_action, WP_Hook->apply_filters, bbp_new_reply_handler, wp_insert_post, do_action('save_post'), WP_Hook->do_action, WP_Hook->apply_filters, ual_shook_transition_post_status, ual_get_activity_function, ual_user_activity_add, referer: https://xx.co.uk/groups/xx/forum/topic/please-reply-to-me/

    It appears that none of the SQL statements are being prepared properly for database inserts (in user_functions.php line 118):

        function ual_user_activity_add($post_id, $post_title, $obj_type, $current_user_id, $current_user, $user_role, $user_mail, $modified_date, $ip, $action) {
            global $wpdb;
            $table_name = $wpdb->prefix . "ualp_user_activity";
            $post_title = addslashes($post_title);
            $insert_query = $wpdb->query("INSERT INTO $table_name (post_id,post_title,user_id, user_name, user_role, user_email, ip_address, modified_date, object_type, action) VALUES ('$post_id','$post_title','$current_user_id', '$current_user', '$user_role','$user_mail', '$ip', '$modified_date', '$obj_type', '$action')");
        }

    This opens up the plugin to possible SQL injection attacks most likely through a malicious email address that contains ‘ characters! It also means that users with email names such a O’Toole@ or O’Donnell@ with cause database errors.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor khushbu padalia

    (@khushbupadalia)

    Hi @jakdaniel5,

    Thank you for notifying us.
    We will check and resolve it in next version of plugin.

    Thank you and regards,
    Solwin Infotech

    I added:

    $user_email = addslashes($user_email);

    just after line 121 of user_functions.php, before the insert query in function ‘ual_user_activity_add’

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin possibly vunerable to SQL injection’ is closed to new replies.