95,000 Users at Risk: SQL Injection Lurks in Porto Theme Plugin
In the world of WordPress themes, Porto has carved out a reputable niche for itself, known for its multipurpose functionality and WooCommerce integration. With over 95,000 active installations, it’s a go-to choice for businesses seeking a reliable and versatile online presence. But beneath this layer of convenience and aesthetic appeal, a critical vulnerability lurked, posing a serious threat to users and website integrity.
The Porto Theme’s plugin, ‘Porto Theme – Functionality‘ (premium version), developed by p-themes, was found to harbor a severe unauthenticated SQL injection vulnerability. This flaw allowed an unauthenticated attacker to perform SQL injections, potentially giving them unauthorized access to sensitive data. Identified as CVE-2023-48738 and rated 9.3 on the CVSS scale, this vulnerability was a ticking time bomb in the Porto theme’s code.
The vulnerability was rooted in the `bulk_delete_critical` function, which was responsible for deleting critical CSS – a feature designed to reduce CSS file rendering time. The flaw emerged from the way the function processed the `$page_ids` variable, which lacked proper sanitization and validation, making it susceptible to SQL injection attacks.
Attackers could exploit this vulnerability by manipulating the `table_actions` function, which then called `bulk_delete_critical`. Due to the absence of permission and nonce validation in both functions, this pathway was left unprotected, allowing unauthenticated users to execute SQL injection payloads via the `$page_ids` variable.
In response to the CVE-2023-48738 vulnerability, Porto Theme – Functionality plugin version 2.12.1 was released. This patch introduced permission and nonce validation in the `table_actions` function. Additionally, it enforced strict type casting for the `$page_ids` variable, ensuring it only contained valid integer values to prevent SQL injection.
This incident serves as a stark reminder of the importance of securing SQL processes in plugins and themes. While the use of proper functions like `esc_sql()` and `$wpdb->prepare` is crucial, they alone are insufficient. Proper implementation and usage are equally vital to prevent SQL injection vulnerabilities. For variables intended to contain only integer values, implementing `intval` is recommended to ensure the integrity of the data.