Administrator-exploitable blind SQLi in WordPress 3.8.1


Last revised:

In certain circumstances admin users can perform SQL injections.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 8.2 High
Vector Network
Complexity Medium
Authentication Single
Confidentiality Complete
Integrity Partial
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • get_bookmarks() must be called somewhere with show_updated set to true (i.e. get_bookmarks(‘show_updated=1’))
  • Visit /wp-admin/options.php
  • SetĀ links_recently_updated_time to “1 minute),0,0), (select sleep(5)), if (date_add(link_updated, interval 1”
  • Visit a page which calls get_bookmarks(‘show_updated=1’)
  • If it has worked you’ll notice a 5 second delay before the page is rendered

The line in question is line 230 of wp-includes/bookmark.php (in WordPress 3.8.1).

Advisory timeline

2013-09-24: Discovered
2013-09-24: Reported to
2013-09-24: Report acknowledged
2014-03-17: Vendor reports that a fix will be released in WP 3.8.2
2014-04-09: WP 3.8.2 released, vulnerability published

Mitigation/further actions

Upgrade to WordPress 3.8.2.