A significant SQL injection (SQLi) vulnerability and a security issue in Hide My WP allowed unauthenticated attackers to disable the program. The problems were identified by Dave Jong, CTO of Patchstack, during an audit of multiple plugins on a customer’s website. There are no requirements for using SQLi to extract information from a database. This vulnerability might be readily exploited using a program like SQLmap.
According to Jong, the other flaw is less severe, but it may lead to a hostile user continuing to attack a separate flaw under the appropriate circumstances. He emphasized that these weaknesses are relatively easy to attack because they don’t require any prerequisites.
Hide My WP, which has over 26,000 customers, uses various methods to hide WordPress installations from harmful hackers, spammers, and theme detectors. Because of how the IP address was acquired and employed within SQL queries, the plugin, which has a feature that protects SQLi and XSS attacks, included an SQLi issue.
Jong claimed he identified the flaw, alerted the plugin’s creator, wpWave, and delivered a “virtual patch” to premium Patchstack clients on September 29. After wpWave failed to reply on October 5, he notified Envato, which acted within minutes and temporarily disabled the plugin from its codecanyon.net store. Jong commended wpWave for quickly fixing both problems in Hide My WP version 6.2.4, which was published on October 26.
Patchstack’s CTO asked other researchers and developers to submit any problems detected in WordPress plugins to Patchstack’s WordPress plugin-specific reward program.