SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database.

If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames and hashed passwords.

We reported the vulnerabilities to the plugin’s authors, and they recently released Slimstat Analytics version 4.9.3.3 and Paid Memberships Pro version 2.9.12 to address them. WPScan strongly recommends that you update affected plugins to their respective latest version, and have an established security solution on your site such as WPScan.

Subscriber+ SQL Injection in Slimstat Analytics

// Init the database library with the appropriate filters
        if ( strpos ( $_content, 'WHERE:' ) !== false ) {
            $where = html_entity_decode( str_replace( 'WHERE:', '', $_content ), ENT_QUOTES, 'UTF-8' );
        }
        else{
            wp_slimstat_db::init( html_entity_decode( $_content, ENT_QUOTES, 'UTF-8' ) );
        }

        switch( $f ) {
            case 'count':
            case 'count-all':
                $output = wp_slimstat_db::count_records( $w, $where, strpos( $f, 'all') === false ) + $o;
                break;

Slimstat's shortcode allows users to add some filtering logic in the form of SQL WHERE statements by looking for a “WHERE:” token inside the shortcode’s content. This functionality is a problem since, as we’ve reported in another vulnerability advisory before, any users logged onto a site including subscribers can render shortcodes in WordPress.

A proof of concept exploit for this vulnerability will be available on this vulnerability’s WPScan entry.

Subscriber+ SQL Injection in Paid Memberships Pro

if($hasaccess && !empty($delay))
    {        
        //okay, this post requires membership. start by getting the user's startdate
        if(!empty($levels))
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND membership_id IN(" . implode(",", array_map( 'esc_sql', $levels ) ) . ") AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";
        else
            $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";

While, at first sight, it may look like the Paid Memberships Pro shortcode properly escapes the $levels variable before concatenating it to an SQL query, the content it adds is not inserted in the context of a string. This effectively means an attacker can abuse that feature to inject SQL statements, so long as they don’t contain any quotes.

Since shortcodes can be rendered by any logged-in users, like subscribers, this enables low-privileged attackers to leak sensitive information from the database, like usernames and hashed passwords.

A proof of concept exploit for this vulnerability will be made available on this vulnerability’s WPScan entry.

Conclusion

We recommend that you check which version of the plugins your site is using, and if they are within the affected ranges, update them as soon as possible! 

The WPScan team works hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. WPScan is a great WordPress security option to ensure your site and visitors are safe.