Can you explain this vulnerability to me?

The JetEngine plugin for WordPress has a vulnerability in its Custom Content Type (CCT) REST API search endpoint in all versions up to and including 3.8.6.1. This vulnerability is a SQL Injection caused by the `_cct_search` parameter being directly inserted into a SQL query string using `sprintf()` without proper sanitization or the use of `$wpdb->prepare()`. Additionally, the WordPress REST API's `wp_unslash()` function removes the protection normally provided by `wp_magic_quotes()`, allowing attackers to inject single quotes and manipulate the SQL query.

Because of this, unauthenticated attackers can append additional SQL queries to existing ones, potentially extracting sensitive information from the database. For this vulnerability to be exploitable, the Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to perform SQL Injection attacks on the WordPress site's database via the JetEngine plugin's REST API. This can lead to unauthorized extraction of sensitive information stored in the database.

• Attackers can retrieve sensitive data without authentication.
• The integrity of the database is not directly affected (no data modification), but confidentiality is compromised.
• The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves SQL Injection via the Custom Content Type (CCT) REST API search endpoint in the JetEngine WordPress plugin. Detection can focus on monitoring HTTP requests to the REST API endpoints related to CCT, especially those containing the _cct_search parameter.

You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to look for suspicious GET requests with SQL injection patterns in the _cct_search parameter.

Example commands to detect such attempts might include:

• Using grep on web server logs to find suspicious _cct_search parameters: grep '_cct_search=.*\'' /var/log/apache2/access.log
• Using curl to test the endpoint manually: curl -v 'https://yourwordpresssite.com/wp-json/cct/v1/search?_cct_search=1' (replace with payloads containing single quotes or SQL syntax to check for injection)
• Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on SQL injection patterns targeting the REST API endpoints.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

• Update the JetEngine plugin to a version later than 3.8.6.1 where this vulnerability is fixed.
• If updating is not immediately possible, disable the Custom Content Types module or any public REST GET endpoints related to CCT to prevent exploitation.
• Implement web application firewall (WAF) rules to block or monitor suspicious requests containing SQL injection patterns targeting the _cct_search parameter.
• Restrict access to the REST API endpoints if possible, limiting exposure to unauthenticated users.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Exposure of sensitive data through such an attack could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.

Therefore, exploitation of this vulnerability may result in violations of these common standards and regulations due to unauthorized data disclosure.

Useful 0 Not Useful 0