CVSS Summary
| Score | 8.2 High |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | Single |
| Confidentiality | Complete |
| Integrity | Partial |
| Availability | Complete |
Advisory:
Administrator-exploitable blind SQLi in WordPress 3.8.1
Vulnerability
Last revised:
In certain circumstances admin users can perform SQL injections.
Current state: Fixed
Proof of concept
- get_bookmarks() must be called somewhere with show_updated set to true (i.e. get_bookmarks(‘show_updated=1’))
- Visit /wp-admin/options.php
- SetĀ links_recently_updated_time to “1 minute),0,0), (select sleep(5)), if (date_add(link_updated, interval 1”
- Visit a page which calls get_bookmarks(‘show_updated=1’)
- If it has worked you’ll notice a 5 second delay before the page is rendered
The line in question is line 230 of wp-includes/bookmark.php (in WordPress 3.8.1).
Advisory timeline
2013-09-24: Discovered
2013-09-24: Reported to security@wordpress.org
2013-09-24: Report acknowledged
2014-03-17: Vendor reports that a fix will be released in WP 3.8.2
2014-04-09: WP 3.8.2 released, vulnerability published
Mitigation/further actions
Upgrade to WordPress 3.8.2.