[CVE-2022-1453] Unauthenticated SQL injection in RSVPmaker version 9.2.5
Description
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5
Additional information
In the sked API (which does not require authentication), the setup of the api handling function, defines a regex that should sanitize the input properly (line 5 in the following snippet):
class RSVPMaker_Sked_Controller extends WP_REST_Controller {
public function register_routes() {
$namespace = 'rsvpmaker/v1';
$path = 'sked/(?P<post_id>[0-9]+)';
register_rest_route(
$namespace,
'/' . $path,
array(
array(
'methods' => 'GET',
'callback' => array( $this,'get_items'),
'permission_callback'=> array( $this,'get_items_permissions_check'),
),
)
);
}
This however can be bypassed simply by redefining the post_id parameter in the request directly after as such:
baseurlname/wp-json/rsvpmaker/v1/sked/0?post_id=SQL INJECTION
This in turn gets passed directly on to the function get_template_sked:
$sked = get_template_sked($request['post_id']);
that runs an sql query using the post_id value without sanitization (line 6):
function get_template_sked( $post_id ) {
global $wpdb, $rsvp_options;
$week_array = get_week_array();
$day_array = get_day_array();
$singles = array( 'hour', 'minutes', 'duration', 'end', 'stop' );
$newsked = $wpdb->get_results( "SELECT * FROM $wpdb->postmeta WHERE post_id=$post_id AND meta_key LIKE '_sked_%' " );
Fix
The fix for the vulnerability in this case is quite simple, just make sure that the post_id is always an integer:
$sked = get_template_sked( intval($request['post_id']) );
It was fixed in the following commit: https://github.com/davidfcarr/rsvpmaker/commit/bfb189f49af7ab0d34499a2da772e3266f72167d