Make WordPress Core

Opened 11 months ago

Closed 8 months ago

Last modified 3 weeks ago

#60009 closed defect (bug) (invalid)

Potential SQL Injection in WordPress Core

Reported by: williamdee's profile williamdee Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Query Keywords:
Focuses: Cc:

Description (last modified by swissspidy)

Action/s Required to Trigger (potentially):

When going to any WordPress URL (potentially).

File/s Involved (there are others):

wp-include/class-wp-query.php

Core Issue:

The SQL query to retrieve a page via post name uses generated SQL instead of static SQL with bound variables (lines 2031-2032):

$q['name'] = sanitize_title_for_query( $q['name'] );
$where    .= " AND {$wpdb->posts}.post_name = '" . $q['name'] . "'";

Note:

While the sanitize_title_for_query() function should sanitize this, if some hacker can slip something through that function then it is directly injected. For proper security the SQL should not be generated dynamically and should use bound variables.

Other Files Affected:

Using the following GREP brings up other lines to look at:

grep -R " = ' \." *

wp-includes/bookmark.php: $inclusions = ' AND ( link_id = ' . $inclink . ' ';
wp-includes/bookmark.php: $inclusions .= ' OR link_id = ' . $inclink . ' ';
wp-includes/bookmark.php: $category_query = ' AND ( tt.term_id = ' . $incat . ' ';
wp-includes/bookmark.php: $category_query .= ' OR tt.term_id = ' . $incat . ' ';

Again, these should not be using dynamically generated SQL and should be using bound variables.

Change History (1)

#1 @swissspidy
8 months ago

  • Component changed from Security to Query
  • Description modified (diff)
  • Keywords needs-review removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed
  • Version changed from trunk to 3.1

Hi there and welcome to WordPress Trac!

First of all, when creating this ticket you had to tick a checkbox saying that you are not reporting a security issue. If in doubt, please always responsibly report security issues to the WordPress HackerOne program.

Second, please note that all of these occurrences, while assembling SQL queries, use wpdb for escaping queries before execution. It's the caller's job to sanitize input used for WP_Query (sanitize early, escape late)

Note: See TracTickets for help on using tickets.