Headline
CVE-2023-0254: Changeset 2829005 for simple-membership-wp-user-import – WordPress Plugin Repository
The Simple Membership WP user Import plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Timestamp:
12/06/2022 03:06:57 AM (5 weeks ago)
wp.insider
Message:
v1.8
Location:
simple-membership-wp-user-import/trunk
Files:
- classes/class.swpm_wp_user_list.php (2 diffs)
- readme.txt (2 diffs)
- swpm-wp-import.php (1 diff)
Legend:
Unmodified
Added
Removed
simple-membership-wp-user-import/trunk/classes/class.swpm_wp_user_list.php
r2029630
r2829005
75
75
$query = "SELECT \* FROM " . $wpdb->users ;
76
76
if (isset($\_POST\['s'\])){
77
$query .= " WHERE user\_login LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' "
78
. " OR user\_email LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' "
79
. " OR display\_name LIKE '%" . strip\_tags($\_POST\['s'\]) . "%' ";
77
$query .= " WHERE user\_login LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' "
78
. " OR user\_email LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' "
79
. " OR display\_name LIKE '%" . sanitize\_text\_field($\_POST\['s'\]) . "%' ";
80
80
}
81
$orderby = !empty($\_GET\["orderby"\]) ? strip\_tags($\_GET\["orderby"\]) : 'ASC';
82
$order = !empty($\_GET\["order"\]) ? strip\_tags($\_GET\["order"\]) : '';
81
$orderby = !empty($\_GET\["orderby"\]) ? sanitize\_text\_field($\_GET\["orderby"\]) : '';
82
$orderby = $this->sanitize\_value\_by\_array($orderby, $this->get\_sortable\_columns());
83
84
$order = !empty($\_GET\["order"\]) ? sanitize\_text\_field($\_GET\["order"\]) : 'asc';
85
$valid\_order\_parameters = array('asc' => 'ASC', 'desc' => 'DESC');
86
$order = $this->sanitize\_value\_by\_array($order, $valid\_order\_parameters);
87
83
88
if (!empty($orderby) & !empty($order)) {
84
89
$query.=' ORDER BY ' . $orderby . ' ' . $order;
…
…
112
117
\_e('No Member found.');
113
118
}
119
120
/\*\*
121
\* Checks if the string exists in the array key value of the provided array.
122
\* If it doesn't exist, it returns the first key element from the valid values.
123
\* @param type $to\_check
124
\* @param type $valid\_values
125
\* @return type
126
\*/
127
function sanitize\_value\_by\_array($to\_check, $valid\_values)
128
{
129
$keys = array\_keys($valid\_values);
130
$keys = array\_map('strtolower', $keys);
131
if (in\_array(strtolower($to\_check), $keys)) {
132
return $to\_check;
133
}
134
return reset($keys); //Return the first element from the valid values
135
}
114
136
}
simple-membership-wp-user-import/trunk/readme.txt
r2809306
r2829005
3
3
Donate link: https://simple-membership-plugin.com/
4
4
Tags: users, wp user, import, export, member, members, membership, access, level
5
Requires at least: 5.0
5
Requires at least: 4.0
6
6
Tested up to: 6.1
7
Stable tag: 1.7
7
Stable tag: 1.8
8
8
License: GPLv2 or later
9
9
…
…
36
36
\== Changelog ==
37
37
38
\= 1.8 =
39
\* Fixed an SQL injection issue in the orderby parameter.
40
38
41
\= 1.7 =
39
42
\* Fixed members import issue.
40
\* Addon is now uses WP built-in jQuery datepicker.
43
\* Addon now uses WP built-in jQuery datepicker.
41
44
42
45
\= 1.6 =
simple-membership-wp-user-import/trunk/swpm-wp-import.php
r2029630
r2829005
6
6
Author: wp.insider
7
7
Author URI: https://simple-membership-plugin.com/
8
Version: 1.7
8
Version: 1.8
9
9
\*/
10
10
11
11
//Slug swmp\_wpimport\_
12
12
13
define( 'SWPM\_WP\_IMPORT\_VERSION', '1.7' );
13
define( 'SWPM\_WP\_IMPORT\_VERSION', '1.8' );
14
14
define('SWPM\_WP\_IMPORT\_PATH', dirname(\_\_FILE\_\_) . '/');
15
15
define('SWPM\_WP\_IMPORT\_URL', plugins\_url('',\_\_FILE\_\_));
Note: See TracChangeset for help on using the changeset viewer.