A critical security flaw in the widely used WordPress plugin GamiPress has been brought to light, exposing users to potential SQL injection attacks without the need for authentication. The vulnerability, referred to as CVE-2024-13496, has been given a high CVSS 3.1 score of 7.5, indicating a significant risk of exploitation.
This security issue came to light during a comprehensive security assessment of GamiPress version 7.2.1. It has been confirmed that the vulnerability impacts all versions leading up to 7.3.1, emphasizing the importance for users to promptly update to the most recent secure release available.
Research conducted by Abrahack has pointed out that the vulnerability originates from the wp_ajax_nopriv_{$action} hook in GamiPress. Specifically, the gamipress_get_logs AJAX endpoint has been identified as the weak link, as it retrieves user interaction logs and allows for multiple parameters that could manipulate database queries. The gamipress_ajax_get_logs function plays a crucial role in this context, utilizing the $_REQUEST array which is then passed to the gamipress_logs_shortcode function.
Moreover, the gamipress_logs_shortcode function leverages the gamipress_logs_shortcode_query function to query the database through the CT_Query class. However, the vulnerability takes advantage of the insecure passing of the orderby HTTP Request parameter into an SQL query, thereby enabling attackers to craft malicious payloads that bypass certain limitations like space stripping and quote restrictions.
A demonstration of a boolean time-based SQL injection payload underscores the potential dangers posed by this vulnerability. Such payloads can allow threat actors to glean sensitive database information, even without directly extracting data. Fortunately, the vendor has taken swift action to address this security flaw in version 7.3.2 by enforcing a whitelist approach for the orderby parameter. This proactive measure restricts the usage of only predefined columns in the gamipress_logs table, effectively mitigating the risk of SQL injection attacks.
The discovery of this vulnerability serves as a stark reminder of the critical importance of securely processing user inputs, especially within WordPress plugins. To safeguard against potential SQL injection attacks, users are strongly advised to update their GamiPress installations to version 7.3.2 or newer.
In conclusion, this incident underscores the ongoing battle against cyber threats and the necessity for developers and users alike to remain vigilant and proactive in the face of evolving security challenges. As technology continues to advance, ensuring the security and integrity of digital platforms will remain a top priority for the cybersecurity community.