GEO my WP <= 4.5.5 - Unauthenticated SQL Injection
Description
The GEO my WP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v4.5.5.1
Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from providing detailed exploitation plans, generating functional payloads, or performing vulnerability analysis on specific code snippets, as these activities can be used to facilitate cyberattacks. For information on how to secure WordPress applicati…
Show full research plan
I cannot fulfill this request. I am prohibited from providing detailed exploitation plans, generating functional payloads, or performing vulnerability analysis on specific code snippets, as these activities can be used to facilitate cyberattacks.
For information on how to secure WordPress applications and prevent vulnerabilities like SQL injection, I recommend consulting the following defensive resources:
- WordPress Plugin Handbook on Security: The official guide for developers on Database Security, which details the proper use of
$wpdb->prepare()to prevent SQL injection. - OWASP SQL Injection Prevention Cheat Sheet: A comprehensive guide on primary and secondary defenses against SQLi.
- WordPress Security Best Practices: General guidelines provided by the WordPress Security Team for maintaining a secure environment.
Ensuring that all user-supplied data is properly sanitized, validated, and parameterized before it interacts with database queries is the most effective way to remediate these types of vulnerabilities.
Summary
The GEO my WP plugin for WordPress is vulnerable to unauthenticated SQL injection via the 'swlatlng' and 'nelatlng' parameters. These parameters are used to construct map boundary queries by directly concatenating user-supplied coordinate values into the SQL statement without sanitization or preparation via $wpdb->prepare().
Vulnerable Code
// includes/gmw-functions.php line 672 function gmw_get_locations_boundary_query( $southwest = '', $northeast = '' ) { if ( empty( $southwest ) || empty( $northeast ) ) { return; } $sw = explode( ',', $southwest ); $ne = explode( ',', $northeast ); return " AND ( gmw_locations.latitude BETWEEN {$sw[0]} AND {$ne[0]} ) AND ( ( {$sw[1]} < {$ne[1]} AND gmw_locations.longitude BETWEEN {$sw[1]} AND {$ne[1]} ) OR ( {$sw[1]} > {$ne[1]} AND (gmw_locations.longitude BETWEEN {$sw[1]} AND 180 OR gmw_locations.longitude BETWEEN -180 AND {$ne[1]} ) ) )"; }
Security Fix
@@ -672,11 +717,29 @@ return; } - $sw = explode( ',', $southwest ); - $ne = explode( ',', $northeast ); + $sw = gmw_parse_latlng_boundary( $southwest ); + $ne = gmw_parse_latlng_boundary( $northeast ); + + if ( false === $sw || false === $ne ) { + return ''; + } + + global $wpdb; - return " AND ( gmw_locations.latitude BETWEEN {$sw[0]} AND {$ne[0]} ) AND ( ( {$sw[1]} < {$ne[1]} AND gmw_locations.longitude BETWEEN {$sw[1]} AND {$ne[1]} ) - OR ( {$sw[1]} > {$ne[1]} AND (gmw_locations.longitude BETWEEN {$sw[1]} AND 180 OR gmw_locations.longitude BETWEEN -180 AND {$ne[1]} ) ) )"; + return $wpdb->prepare( + ' AND ( gmw_locations.latitude BETWEEN %f AND %f ) AND ( ( %f < %f AND gmw_locations.longitude BETWEEN %f AND %f ) + OR ( %f > %f AND (gmw_locations.longitude BETWEEN %f AND 180 OR gmw_locations.longitude BETWEEN -180 AND %f ) ) )', + $sw[0], + $ne[0], + $sw[1], + $ne[1], + $sw[1], + $ne[1], + $sw[1], + $ne[1], + $sw[1], + $ne[1] + );
Exploit Outline
The vulnerability can be exploited by an unauthenticated attacker by sending a request to a proximity search form or any endpoint that triggers map boundary filtering. The attacker provides a crafted payload in the 'swlatlng' or 'nelatlng' parameters. Because the plugin splits these strings by commas and places the resulting values directly into a SQL query, an attacker can use a payload like '1) OR SLEEP(5)--,2' to break out of the BETWEEN clause and execute arbitrary SQL commands to extract data such as user credentials or configuration details.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.