Hide My WP WordPress Plugin Has SQL Injection and Deactivation Vulnerabilities

Hide My WP WordPress Plugin Has SQL Injection and Deactivation Vulnerabilities

A significant SQL injection (SQLi) vulnerability and a security issue in Hide My WP allowed unauthenticated attackers to disable the program. The problems were identified by Dave Jong, CTO of Patchstack, during an audit of multiple plugins on a customer’s website. There are no requirements for using SQLi to extract information from a database. This vulnerability might be readily exploited using a program like SQLmap.

According to Jong, the other flaw is less severe, but it may lead to a hostile user continuing to attack a separate flaw under the appropriate circumstances. He emphasized that these weaknesses are relatively easy to attack because they don’t require any prerequisites.

Hide My WP, which has over 26,000 customers, uses various methods to hide WordPress installations from harmful hackers, spammers, and theme detectors. Because of how the IP address was acquired and employed within SQL queries, the plugin, which has a feature that protects SQLi and XSS attacks, included an SQLi issue.

Jong claimed he identified the flaw, alerted the plugin’s creator, wpWave, and delivered a “virtual patch” to premium Patchstack clients on September 29. After wpWave failed to reply on October 5, he notified Envato, which acted within minutes and temporarily disabled the plugin from its codecanyon.net store. Jong commended wpWave for quickly fixing both problems in Hide My WP version 6.2.4, which was published on October 26.

Patchstack’s CTO asked other researchers and developers to submit any problems detected in WordPress plugins to Patchstack’s WordPress plugin-specific reward program.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share:

Share on facebook
Share on twitter
Share on linkedin