A Proof-of-Concept (POC) exploit also exists, translating to the fact that the vulnerability path works and can potentially be leveraged by cybercriminals for malicious purposes. According to Patchstack the flaw, “Can be exploited remotely without any authentication.”
About StopBadBots
StopBadBots is a WordPress plugin with over 10,000 active installations, supported by WordPress version 4.0 and above. Although the plugin is not nearly as popular as some of the top WordPress plugins such as Yoast, Jetpack, and Akismet that have recorded millions of installations, it is still used by a significant amount of users. According to the plugin’s introduction web page, StopBadBots is a, “completely self-contained” plugin that stops, “Bad Bots, SPAM bots, Crawlers and spiders without DNS Cloud or API (EndPoint) Traffic Redirection.” Furthermore, the description of the plugin states that it will not cause site slow-downs, or incur Google penalties. Some premium features of the plugin include the ability to block malicious traffic and spam from countries such as Cuba, North Korea, and China via a ready-made database of IP addresses. StopBadBots also offers banning, “SPAMMERS, CRAWLERS, SPIDERS, HACKERS AND BAD BEHAVIOR” as well as offering ‘anti-hacker protection.’
StopBadBots Plugin Security Flaw
Information from WPScan confirmed the presence of a POC, “The PoC will be displayed on November 29, 2021, to give users the time to update.” The software vulnerability in the StopBadBots plugin (CVE-2021-24863) is type SQL Injection which allows a remote attacker to gain unauthorized access to the application. StopBadBots does not “sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection.” The attack can be launched remotely.
SQL Injection
An SQL Injection attack (SQLI) is a method used by cybercriminals most commonly to breach databases in an unauthorized manner, via automated programs. Several high-tier companies such as Equifax, Yahoo, Sony Pictures, and others were compromised as a result of an SQLI attack. SQLI attacks are not difficult for cybercriminals to orchestrate. According to Malwarebytes, “Cybersecurity researchers regard the SQLI as one of the least sophisticated, easy-to-defend-against cyberthreats.” Attacks leverage the decades-old SQL language (Structured Query Language) commonly used in managing online databases to, “enter malicious commands into web forms, like the search field, login field, or URL, of an unsecured website to gain unauthorized access to sensitive and valuable data.”
Vulnerable Software Versions
StopBadBots versions below 6.67 (6.66 and below) are vulnerable to the SQL injection security flaw.
Important User Information
Users need to know that this is a high-risk situation where a POC exists for the StopBadBots WordPress security plugin. An exploited plugin vulnerability could result in the compromise of websites, user devices as well as the wider network. For that reason, all users must update immediately to the fixed version of the StopBadBots plugin. Release 6.67 of the plugin can be downloaded here.