30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin

🎉 Did you know we're running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On April 10th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Execution vulnerability in Visualizer, a WordPress plugin with more than 30,000 active installations. This vulnerability can be leveraged for privilege escalation among many other actions.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $985.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 15, 2024. Sites using the free version of Wordfence received the same protection 30 days later on May 15, 2024.

We contacted the Themeisle Team on April 12, 2024, and received a response on the next day. After providing full disclosure details, the developer released the first patch, which did not fully address the vulnerability on April 15, 2024. A fully patched version, 3.11.0, was released on May 13, 2024.

We urge users to update their sites with the latest patched version of Visualizer, which is version 3.11.0, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Visualizer: Tables and Charts Manager for WordPress <= 3.10.15 - Missing Authorization to Arbitrary SQL Execution **Affected Plugin:**Visualizer: Tables and Charts Manager for WordPress Plugin Slug:visualizer Affected Versions:<= 3.10.15 CVE ID:CVE-2024-3750 **CVSS Score:**8.8 (High) CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Researcher/s:Krzysztof Zając **Fully Patched Version:**3.11.0 Bounty Award: $985.00

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on the getQueryData() function in all versions up to, and including, 3.10.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform arbitrary SQL queries that can be leveraged for privilege escalation among many other actions.

Technical Analysis

Visualizer is a WordPress plugin for creating, managing, and embedding interactive, responsive charts and tables.

Unfortunately, insecure implementation of the plugin’s fetch chart data functionality allows for arbitrary SQL execution. Examining the code reveals that the plugin uses the getQueryData() function in the Visualizer_Module_Chart class to query data for charts, where the query can be specified with the 'query' parameter.

public function getQueryData() {
	check_ajax_referer( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION, 'security' );

	$params     = wp_parse_args( $_POST['params'] );
	$chart_id   = filter_var( $params['chart_id'], FILTER_VALIDATE_INT );

	$source     = new Visualizer_Source_Query( stripslashes( $params['query'] ), $chart_id, $params );
	$html       = $source->fetch( true );
	$error      = $source->get_error();
	if ( ! empty( $error ) ) {
		wp_send_json_error( array( 'msg' => $error ) );
	}
	wp_send_json_success( array( 'table' => $html ) );
}

This function builds the query using the Visualizer_Source_Query class. The fetch() function that queries the database contains the following code snippets:

public function fetch( $as_html = false, $results_as_numeric_array = false, $raw_results = false ) {
	if ( empty( $this->_query ) ) {
		return false;
	}

	// only select queries allowed.
	if ( preg_match( '/^\s*(insert|delete|update|replace|create|alter|drop|truncate)\s/i', $this->_query ) ) {
		$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
		return false;
	}


$rows       = $wpdb->get_results( $this->_query, $results_as_numeric_array ? ARRAY_N : ARRAY_A );

A regex check is used to allow only SELECT queries, but unfortunately, this is not sufficient as it can be bypassed through the use of comments, allowing arbitrary queries to be executed, including INSERT, UPDATE or DELETE statements.

This makes it possible for authenticated attackers to insert, delete or update data in the database arbitrarily, which can be leveraged for privilege escalation, modifying posts and pages, and various other malicious actions. This vulnerability will likely be exploited by threat actors so we urge users to make sure the plugin is up to date as soon as possible.

Disclosure Timeline

April 10, 2024 – We received the submission for the SQL Execution vulnerability in Visualizer via the Wordfence Bug Bounty Program. April 12, 2024– We validated the report and confirmed the proof-of-concept exploit. April 12, 2024– We sent over the full disclosure details. April 13, 2024– The vendor acknowledged the report and began working on a fix. April 15, 2024– Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability. April 15, 2024– A partially patched version of the plugin, 3.10.12, was released. April 17, 2024– A partially patched version of the plugin, 3.10.13, was released. May 13, 2024– The fully patched version of the plugin, 3.11.0, was released. May 15, 2024 – Wordfence Free users received the same protection.

Conclusion

In this blog post, we detailed an Arbitrary SQL Execution vulnerability within the Visualizer plugin affecting versions 3.10.15 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to inject malicious SQL queries for deleting, modifying, or retrieving data. The vulnerability has been fully addressed in version 3.11.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Visualizer as soon as possible considering the critical nature of this vulnerability.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of April 15, 2024. Users using the free version of Wordfence received the same protection 30 days later on May 15, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin appeared first on Wordfence.