WPRecovery WordPress Plugin SQL Injection Vulnerability Allowing Arbitrary File Deletion
Vulnerability
A SQL injection vulnerability has been identified in the WPRecovery plugin for WordPress, affecting all versions through 2.0. The issue arises from inadequate escaping of user-supplied data in the 'data[id]' parameter, which allows unauthenticated attackers to inject additional SQL commands. This exploitation can be used to extract sensitive information from the database. Furthermore, the injected SQL query's result is directly passed to PHP's unlink() function, enabling attackers to delete arbitrary files on the server by manipulating the SQL query to include specific file paths.
Impact
Exploitation of this vulnerability allows for unauthorized SQL injection, leading to the extraction of sensitive database information and the deletion of arbitrary files on the server.
Reproduction
To reproduce this vulnerability, send a POST request to the WordPress site with the 'data[id]' parameter. The injected SQL will be executed, and the result can be used to delete files from the server.
Remediation
No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.