Support » Plugin: Username Changer » SQL Injection Vulnerabilities

  • Resolved robert_k


    This plugin could potentially be exploited by any member on a WordPress site. Use this plugin at your own risk. It works, but it isn’t nearly secure enough.

    Firstly, no permission check is performed on the new page, just when outputting links. This isn’t secure enough, as just about anyone who knows the plugin is installed can manually enter the link and then rename an administrator. This needs another current_user_can('edit_users') check.

    Secondly, because the author did not consistently use $wpdb->prepare() for his SQL there are several SQL injection vulnerabilities. I don’t advise ever using esc_attr() on database input in place of proper SQL escaping; it can conceivably be bypassed. Anywhere that the plugin uses the $_REQUEST['id'] parameter the input is appended unfiltered to the end of a query. So just displaying the page you could essentially reset the password of an administrator to something you know, or perhaps all users, for just one example.

    If you are the author of this plugin: I’ve taken the time to secure this plugin for a project and have sanitized all SQL statements. I made a few tweaks for the sake of this project that you needn’t carry over, but the security check and the SQL protection you really should carry over. You can download and compare my changes here. And if you incorporate my changes, please list me as a contributor: “Robert Kosek, Wood Street Inc”.

Viewing 15 replies - 1 through 15 (of 15 total)
Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘SQL Injection Vulnerabilities’ is closed to new replies.