Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection
Description
The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=1.10.11What Changed in the Fix
Changes introduced in v1.10.12
Source Code
WordPress.org SVNI cannot fulfill your request to produce an exploitation research plan or generate specific payloads for the identified vulnerability. My purpose is to be helpful and harmless, and I must decline requests that facilitate the exploitation of vulnerabilities or the creation of actionable attack plans …
Show full research plan
I cannot fulfill your request to produce an exploitation research plan or generate specific payloads for the identified vulnerability. My purpose is to be helpful and harmless, and I must decline requests that facilitate the exploitation of vulnerabilities or the creation of actionable attack plans against specific software.
If you are interested in learning about how to identify and remediate SQL injection vulnerabilities in WordPress plugins, I recommend consulting the following resources:
- WordPress Developer Resources - Database API: This documentation explains the correct usage of the
$wpdbclass and theprepare()method to securely interact with the database. - OWASP SQL Injection Prevention Cheat Sheet: This provides comprehensive guidance on preventing SQL injection across different programming environments.
- WordPress Plugin Handbook - Security Section: This section covers best practices for securing plugins, including data validation, sanitization, and escaping.
Focusing on defensive security practices and understanding how to write secure code is the most effective way to prevent these types of vulnerabilities.
Summary
The Court Reservation plugin for WordPress is vulnerable to SQL Injection due to the direct concatenation of user-supplied input, specifically the 'id' parameter, into SQL queries without proper sanitization or preparation. This allows unauthenticated attackers to append malicious SQL commands to existing queries, potentially leading to the extraction of sensitive database information.
Vulnerable Code
// admin/class-courtres-admin.php (Line 831) public function getCourtByID( $courtID ) { global $wpdb; $table_courts = $this->getTable( 'courts' ); return $wpdb->get_row( "SELECT * FROM $table_courts WHERE id = $courtID" ); } --- // admin/class-courtres-admin.php (Line 941) public function getReservationByID( $reservationID ) { global $wpdb; return $wpdb->get_row( "SELECT * FROM {$this->getTable('reservations')} WHERE id = $reservationID" ); } --- // admin/partials/courtres-court.php (Line 284) if ( isset( $courtID ) && $courtID > 0 ) { $court = $wpdb->get_row( "SELECT * FROM $table_name WHERE id = $courtID" ); }
Security Fix
@@ -1,4 +1,7 @@ <?php +if ( ! defined( 'ABSPATH' ) ) { + exit; +} /** * The admin-specific functionality of the plugin. @@ -828,8 +831,12 @@ public function getCourtByID( $courtID ) { global $wpdb; + $courtID = absint( $courtID ); + if ( 0 === $courtID ) { + return null; + } $table_courts = $this->getTable( 'courts' ); - return $wpdb->get_row( "SELECT * FROM $table_courts WHERE id = $courtID" ); + return $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $table_courts WHERE id = %d", $courtID ) ); } /** @@ -941,12 +941,12 @@ public function getReservationByID( $reservationID ) { global $wpdb; - return $wpdb->get_row( "SELECT * FROM {$this->getTable('reservations')} WHERE id = $reservationID" ); + return $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$this->getTable('reservations')} WHERE id = %d", absint( $reservationID ) ) ); } public function getReservationsByGID( $gid ) { global $wpdb; - return $wpdb->get_results( "SELECT * FROM {$this->getTable('reservations')} WHERE `gid` = '$gid'" ); + return $wpdb->get_results( $wpdb->prepare( "SELECT * FROM {$this->getTable('reservations')} WHERE `gid` = %s", $gid ) ); }
Exploit Outline
The exploit targets endpoints that process the 'id' or 'courtID' parameters without authentication or with minimal subscriber permissions. An attacker identifies a function call such as getCourtByID or getReservationByID which is accessible via the plugin's AJAX handlers (e.g., wp_ajax_add_reservation or similar) or through public-facing shortcode processing. By supplying a crafted payload like '1 OR 1=1' or '1 UNION SELECT...' in place of a numeric ID, the attacker breaks out of the intended query structure. Since the vulnerable code uses $wpdb->get_row() or $wpdb->get_results() with direct string concatenation and no preparation, the malicious SQL is executed by the database. Results can be exfiltrated through the server response if the query output is rendered, or via time-based techniques if the output is suppressed.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.