CVE-2020-5766 Scanner

SRS Simple Hits Counter is a lightweight WordPress plugin used to track the number of hits or visits to posts and pages. It is commonly employed by website administrators and bloggers to monitor user engagement on their content. Due to its simplicity, it is popular among non-technical users looking for basic analytics functionality without complex setup. The plugin integrates directly into WordPress pages, requiring minimal configuration. It is available through the WordPress plugin repository and used across various website categories. Its main objective is to provide a visual count of visitors to each post for content performance evaluation.

This scanner detects a blind SQL injection vulnerability in the SRS Simple Hits Counter WordPress plugin. The vulnerability stems from improper neutralization of user-supplied input before constructing SQL queries. This flaw allows remote attackers to manipulate backend database queries, enabling unauthorized data access. Since it is a blind SQL injection, attackers cannot directly view output but can infer it through response timing. The flaw does not require authentication, increasing the risk of automated mass exploitation. This vulnerability poses a serious risk as it could expose sensitive user data such as password hashes.

The technical issue lies in the `srs_update_counter` AJAX action endpoint, which takes a `post_id` parameter and fails to sanitize it properly. Attackers can use this flaw to inject SQL payloads using a time-based inference approach. By crafting a request to `admin-ajax.php` with a manipulated `post_id`, they can perform binary searches on database values. The injected query uses `sleep()` delays to distinguish between true and false conditions, thus extracting sensitive information character by character. The template demonstrates this by targeting the `user_pass` field of the admin user. The detection is successful if a response delay indicates a valid guess.

If successfully exploited, this vulnerability could lead to unauthorized extraction of user credentials or other database records. Attackers could enumerate user accounts, compromise admin credentials, and potentially gain full access to the WordPress site. This opens the door to further exploitation such as defacement, content manipulation, and malware injection. Exploiting this blind SQL injection could also allow lateral movement to other databases or services if misconfigurations exist. Ultimately, the integrity and confidentiality of user data on the website may be severely compromised.

REFERENCES

• https://github.com/tenable/poc/blob/master/WordPress/plugins/SRS_Simple_Hits_Counter/blind_sqli_tra_2020_42.py
• https://www.tenable.com/security/research/tra-2020-42