Meow Gallery <= 5.4.4 - Authenticated (Author+) SQL Injection
Description
The Meow Gallery plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=5.4.4What Changed in the Fix
Changes introduced in v5.4.5
Source Code
WordPress.org SVN... later ... $ids = array_map( 'intval', $ids ); // (Wait, let me check if this exists) ``` In `classes/core.php` snippet, I see: ```php $ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids ); ``` It doesn't show `intval` map …
Show full research plan
... later ...
$ids = array_map( 'intval', $ids ); // (Wait, let me check if this exists)
In `classes/core.php` snippet, I see: php
$ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids );
```
It doesn't show intval map immediately. If it's missing, ids is vulnerable.
But preview is also Author+.
* Let's compare:
`fetch_shortcodes` (ORDER BY) vs `preview` (WHERE IN).
The description says "extract sensitive information". `ORDER BY` and `WHERE IN` both allow this.
However, `ORDER BY` injection is more "appending queries into already existing queries" in terms of syntax sometimes.
* Let's provide the most robust plan. I'll focus on `fetch_shortcodes` as it's the most "Meow" style SQLi.
* *Wait*, I found the localization.
* The `wpApiSettings` variable is standard for WP REST.
* The `mgl_vars` (or similar) might be specific to the plugin.
* I'll tell the agent to check `window.wpApiSettings.nonce`.
* Final check on permissions:
`Author` role has `upload_files` capability
Summary
The Meow Gallery plugin for WordPress is vulnerable to SQL injection via the REST API endpoints used for gallery previews and shortcode fetching. Authenticated attackers with Author-level permissions or higher can exploit this by submitting malicious SQL payloads through parameters like 'ids' or 'order_by', which are concatenated into database queries without proper sanitization or preparation.
Vulnerable Code
// classes/rest.php line 124 function preview( WP_REST_Request $request ) { $params = $request->get_body( ); $params = json_decode( $params ); $params->ids = implode( ',', $params->ids ); $atts = ( array ) $params; --- // classes/core.php line 209 // Filter the IDs $ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids );
Security Fix
@@ -126,6 +126,7 @@ function preview( WP_REST_Request $request ) { $params = $request->get_body( ); $params = json_decode( $params ); + $params->ids = array_map( 'intval', $params->ids ); $params->ids = implode( ',', $params->ids ); $atts = ( array ) $params; @@ -208,6 +208,7 @@ // Filter the IDs $ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids ); + $ids = array_map( 'intval', $ids );
Exploit Outline
To exploit this vulnerability, an attacker requires at least Author-level authentication to access the plugin's REST API features (capability 'upload_files'). The attacker can then target the `/wp-json/meow-gallery/v1/preview` endpoint by sending a POST request with a JSON payload. The payload should include an 'ids' array containing malicious SQL fragments. Because the plugin implodes these IDs directly into a string and uses them in a SQL 'WHERE IN' clause without calling $wpdb->prepare(), the attacker can perform time-based or boolean-based blind SQL injection to extract sensitive information from the WordPress database, such as administrator user hashes or session data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.