Prevent SQL Injection Attacks in WordPress Plugins

A big problem when you want to install an unknown plugin in your WordPress Blog is always if the plugin would be vulnerable to SQL injection attacks that could lead to a very high risk for you website.

A simple method to prevent SQL injection attacks and remote file inclusion (RFI) in most plugins, is to block the direct load of the plugin script files (.php) by adding this code at the begin of every .php file that contains code used to include files or to manage data in the database:

1
2
if ('filename.php' == basename($_SERVER['SCRIPT_FILENAME']))
 die ('Access not allowed!');

Using this method it is not allowed to load directly from the browser the script and if an attacker will try to inject malicious code, it will fail since we use the function die() to terminate the script:

Image

If we analyze public exploit codes that are used to exploit vulnerabilities of public WordPress Plugins, we can see that all attackers need to load the script directly to inject the evil code and with this method its injected code will never be executed:

WordPress script <== x.x.x (Events Plugins)SQL Injection

[ยป]SQL : http://server/[Plugins]/?event_id=[inj3ct C0dE]

WordPress Image Manager Plugins Shell Upload

/plugins/ImageManager/manager.php

WP-Cumulus <= 1.20 for WordPress

plugins/nextgen-gallery/xml/media-plugins/wp-cumulus/tagcloud.swf

Related Sites 2.1 Blind SQL Injection

plugins/related-sites/BTE_RW_webajax.php