SQL Chart Builder WordPress Plugin Unauthenticated SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the SQL Chart Builder WordPress plugin, affecting versions prior to 2.3.8. The issue arises because the plugin fails to properly escape user input before concatenating it into SQL queries. This flaw allows attackers to manipulate dynamic filter parameters and execute arbitrary SQL commands, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could be used to manipulate the database, such as extracting, modifying, or deleting data. In this case, the vulnerability was exploited to extract WordPress administrator credentials.

Reproduction

To reproduce this vulnerability, an administrator must first create and publish a chart that uses the 'Dynamic Filter Variables' feature on a public-facing page. Once this is done, an unauthenticated visitor can navigate to the page containing the chart and identify the dynamic filter parameter name, such as 'status_tag'. The attacker can then append a malicious SQL injection payload to the URL, using 'UNION SELECT' to extract data from the database, such as WordPress user credentials. After sending the request, the injected data will be visible in the response, seamlessly integrated into the chart's data arrays.

Remediation

Users are advised to update the SQL Chart Builder WordPress plugin to version 2.3.8 or later.