95,000 Users at Risk: SQL Injection Lurks in Porto Theme Plugin

In the world of WordPress themes, Porto has carved out a reputable niche for itself, known for its multipurpose functionality and WooCommerce integration. With over 95,000 active installations, it’s a go-to choice for businesses seeking a reliable and versatile online presence. But beneath this layer of convenience and aesthetic appeal, a critical vulnerability lurked, posing a serious threat to users and website integrity.

The Porto Theme’s plugin, ‘Porto Theme – Functionality‘ (premium version), developed by p-themes, was found to harbor a severe unauthenticated SQL injection vulnerability. This flaw allowed an unauthenticated attacker to perform SQL injections, potentially giving them unauthorized access to sensitive data. Identified as CVE-2023-48738 and rated 9.3 on the CVSS scale, this vulnerability was a ticking time bomb in the Porto theme’s code.

The vulnerability was rooted in the `bulk_delete_critical` function, which was responsible for deleting critical CSS – a feature designed to reduce CSS file rendering time. The flaw emerged from the way the function processed the `$page_ids` variable, which lacked proper sanitization and validation, making it susceptible to SQL injection attacks.

/**
 * Bulk delete the critical CSS.
 *
 * @since 2.3.0
 */
public function bulk_delete_critical() {

    if ( ! isset( $_GET['post'] ) ) {
        $this->redirect_critical_wizard();
    }

    $page_ids = wp_unslash( $_GET['post'] );

    foreach ( $page_ids as $key => $value ) {
        if ( 'homepage' == $value ) {
            unset( $page_ids[ $key ] );
            update_option( 'homepage_critical', '' );
            break;
        }
    }

    // Delete critical css
    global $wpdb;
    $page_ids = sanitize_text_field( implode( ',', $page_ids ) );
    $wpdb->query( $wpdb->prepare( 'UPDATE ' . $wpdb->postmeta . " SET meta_value = '' WHERE meta_id IN ($page_ids)" ) ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

    $this->redirect_critical_wizard();
}

Attackers could exploit this vulnerability by manipulating the `table_actions` function, which then called `bulk_delete_critical`. Due to the absence of permission and nonce validation in both functions, this pathway was left unprotected, allowing unauthenticated users to execute SQL injection payloads via the `$page_ids` variable.

In response to the CVE-2023-48738 vulnerability, Porto Theme – Functionality plugin version 2.12.1 was released. This patch introduced permission and nonce validation in the `table_actions` function. Additionally, it enforced strict type casting for the `$page_ids` variable, ensuring it only contained valid integer values to prevent SQL injection.

This incident serves as a stark reminder of the importance of securing SQL processes in plugins and themes. While the use of proper functions like `esc_sql()` and `$wpdb->prepare` is crucial, they alone are insufficient. Proper implementation and usage are equally vital to prevent SQL injection vulnerabilities. For variables intended to contain only integer values, implementing `intval` is recommended to ensure the integrity of the data.