WordPress WPLMS, VibeBP SQL Injection 취약점 (CVE-2024-56042, CVE-2024-56047, CVE-2024-56039, CVE-2024-56041)

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. VibeBP (Vibe BuddyPress Plugin)

- WPLMS와 함께 사용되는 플러그인으로, 강력한 소셜 네트워킹 및 회원 관리 기능을 제공

3. 취약점

3.1 CVE-2024-56042 [2][3]

[사진 1] CVE-2024-56042

- WPLMS에서 발생하는 SQL Injection 취약점 (CVSS: 9.3)

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- includes/vibe-course-module/includes/api/v3/class-api-commissions.php의 get_instructor_commissions_chart()에 취약점 존재
> json/wplms/v1/commissions/instructor/<ID>/chart의 REST 엔드포인트를 처리
> REST 엔드포인트 자체에서는 commissions_request_validate()를 통해 사용자 권한을 확인

 

> Line4 및 Line7 : 클라이언트 요청에서 course_id와 currency 파라미터를 추출 및 $course_id와 $currency에 할당 
> Line16 ~ Line24 : $course_id와 $currency를 .=(문자열 연결 연산자) 연사자를 사용해 $and_where에 할당
> Line29 ~ Line40 : get_results()를 사용해 SQL 쿼리를 실행한 후 결과를 $results에 할당

 

- $course_id와 $currency에 대한 적절한 검증 없이 $and_where에 포함되어 SQL 쿼리에 사용되므로, 유효한 ID를 가진 공격자에 의해 SQL Injection 취약점이 발생

includes/vibe-course-module/includes/api/v3/class-api-commissions.php, function get_instructor_commissions_chart()
1     function get_instructor_commissions_chart($request){
2     
3     $user_id = $request->get_param('id');
4     $course_id =$request->get_param('course_id');
5     $date_start = $request->get_param('date_start');
6     $date_end = $request->get_param('date_end');
7     $currency = $request->get_param('currency');
8     ------------ CUT HERE ------------
9     
10     $and_where = '';
11     $start_date = '';
12     $end_date = '';
13     $group_by = ' GROUP BY select_parameter';
14     $select = 'MONTH(activity.date_recorded) as select_parameter';
15     
16     if(!empty($course_id)){
17     $and_where .= " AND activity.item_id = $course_id ";
18     }else{
19     
20     ------------ CUT HERE ------------
21     }
22     if(!empty($currency)) {
23     $and_where .= " AND meta2.meta_value = '".$currency."' ";
24     }
25     
26     ------------ CUT HERE ------------
27     global $wpdb;
28     global $bp;
29     $results = $wpdb->get_results( "
30     SELECT ".$select.", sum(meta.meta_value) as commission
31     FROM {$bp->activity->table_name} AS activity
32     LEFT JOIN {$bp->activity->table_name_meta} as meta ON activity.id = meta.activity_id
33     LEFT JOIN {$bp->activity->table_name_meta} as meta2 ON activity.id = meta2.activity_id
34     WHERE     activity.component     = 'course'
35     AND     activity.type     = 'course_commission'
36     AND     activity.user_id     = {$user_id}
37     AND     meta.meta_key   LIKE '_commission%'
38     AND     meta2.meta_key   LIKE '_currency%'
39     .$and_where.
40     .$group_by,ARRAY_A);
41     ------------ CUT HERE ------------
42     }

 

3.2 CVE-2024-56047 [4][5]

[사진 2] CVE-2024-56047

- WPLMS에서 발생하는 SQL Injection 취약점

영향받는 버전 : WPLMS < 1.9.9.5.3

 

- include/vibe-course-module/includes/api/v3/class-api-user-controller.php의 search_users_in_chat()에 취약점 존재
> json/wplms/v2/user/alluser의 REST 엔드포인트를 처리하며, 인증된 모든 사용자가 액세스할 수 있음
> Line3 : 클라이언트로부터 전달받은 user_initials를 추출해 $user_initials에 할당
> Line4 : $user_initials를 포함해 SQL 쿼리 실행 및 결과를 $results에 할당

 

- user_initials에 대한 적절한 검증 없이 $user_initials에 할당되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/vibe-course-module/includes/api/v3/class-api-user-controller.php, function search_users_in_chat()
1     function search_users_in_chat($request){
2     global $wpdb;
3     $user_initials = $request->get_param('user_initials');
4     $results = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}users WHERE `user_nicename` LIKE '%{$user_initials}%'", ARRAY_A );
5     
6     $return = array('status'=>1,'message'=>'','users'=>array());
7     if(!empty($results)){
8     foreach($results as $result){
9     $return['users'][]=apply_filters('wplms_api_search_users_in_chat',array(
10     'name'=> bp_core_get_user_displayname($result['ID']),
11     'id'=> intval($result['ID']),
12     'image'=> bp_core_fetch_avatar(array('item_id' => $result['ID'],'type'=>'thumb', 'html' => false)),
13     'type'=> (user_can(intval($result['ID']),'manage_options')?_x('Administrator','Chat search result user type','wplms'):(user_can($result['ID'],'edit_posts')?_x('Instructor','Chat search result user type','wplms'):_x('Student','Chat search result user type','wplms')))
14     ));
15     }
16     }else{
17     $return = array('status'=> 0,'message'=>_x('No user found !','Chat search result','wplms'),'users'=>array());
18     }
19     
20     }

 

3.3 CVE-2024-56039 [6][7]

[사진 3] CVE-2024-56039

- VibeBP에서 발생하는 SQL Injection 취약점 (CVSS: 9.3)

영향받는 버전 : VibeBP < 1.9.9.7.7

 

- include/buddypress/class-api-settings-controller.php의 get_avatar()에 취약점 존재
> json/vbp/v1/avatar의 REST 엔드포인트를 처리
> REST 엔드포인트 자체에서는 commissions_request_validate()를 통해 사용자 권한을 확인

 

> Line3 ~ Line4 : 클라이언트로부터 전달받은 요청의 Body를 JSON으로 디코딩 및 재귀적으로 필터링한 후 $body에 할당
> Line33 : $body['ids']['item_id']를 포함해 SQL 쿼리 실행 및 결과를 $name에 할당

 

- $body 값에 대한 적절한 검증 없이 get_var()에 포함되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/buddypress/class-api-settings-controller.php, function get_avatar()
1     function get_avatar($request){
2     
3     $body = json_decode($request->get_body(),true);
4     $body = vibebp_recursive_sanitize_text_field($body);
5     $name = '';
6     $avatar= '';
7     $key='';
8     $type = '';
9     if(!empty($body['type'])){$type=$body['type'];}
10     switch($type){
11     case 'friends':
12     
13     $key = 'user_'.$body['ids']['item_id'];
14     $avatar = bp_core_fetch_avatar(array(
15     'item_id' => (int)$body['ids']['item_id'],
16     'object'  => 'user',
17     'type'=>'thumb',
18     'html'    => false
19     ));
20     $name = bp_core_get_user_displayname($body['ids']['item_id']);
21     
22     
23     break;
24     case 'group':
25     $key = 'group_'.$body['ids']['item_id'];
26     $avatar = bp_core_fetch_avatar(array(
27     'item_id' => (int)$body['ids']['item_id'],
28     'object'  => 'group',
29     'type'=>'thumb',
30     'html'    => false
31     ));
32     global $wpdb,$bp;
33     $name = $wpdb->get_var("SELECT name from {$bp->groups->table_name} WHERE id=".$body['ids']['item_id']);
34     ------------- CUT HERE -------------

 

3.4 CVE-2024-56041 [8][9]

[사진 4] CVE-2024-56041

- VibeBP에서 발생하는 SQL Injection 취약점

영향받는 버전 : VibeBP < 1.9.9.5.1

 

- include/buddypress/class-api-messages-controller.php의 remove_message_label()에 취약점 존재
> json/vbp/v1/messages/label/remove의 REST 엔드포인트를 처리

 

> Line2 ~ Line3 : 클라이언트로부터 전달받은 요청의 Body를 JSON으로 디코딩 및 재귀적으로 필터링한 후 $body에 할당
> Line14 및 Line16 : $body['slug']를 $slug에 할당한 후 이를 포함해 SQL 쿼리 실행 및 결과를 $labels_count에 할당

 

- $slug 값에 대한 적절한 검증 없이 get_results()에 포함되어 SQL 쿼리에 사용되므로, SQL Injection 취약점이 발생

includes/buddypress/class-api-messages-controller.php, function remove_message_label()
1     function remove_message_label($request){
2     $body = json_decode($request->get_body(),true);
3     $body = vibebp_recursive_sanitize_text_field($body);
4     $labels = get_user_meta($this->user->id,'vibebp_message_labels',true);
5     if(!empty($labels)){
6     $remove = 0;
7     foreach($labels as $k=>$l){
8     if($l['slug'] === $body['slug']){
9     $remove = $k;
10     break;
11     }
12     }
13     $label_key = 'vibebp_label_'.$this->user->id;
14     $slug = $body['slug'];
15     global $wpdb,$bp;
16     $labels_count = $wpdb->get_results("DELETE FROM {$bp->messages->table_name_meta} WHERE meta_key = '$label_key' AND meta_value = '$slug'");
17     unset($labels[$remove]);
18     update_user_meta($this->user->id,'vibebp_message_labels',$labels);
19     }
20     
21     return new WP_REST_Response( array('status'=>1,'labels'=>$labels,'message'=>_x('Label removed.','message','vibebp')), 200 ); 
22     }

4. 대응방안

- 벤더사 제공 업데이트 적용 [10][11]
> WPLMS Plugin 1.9.9.5.3
> Vibebp 1.9.9.7.7
> 관련된 변수 및 코드에 적절한 이스케이프를 적용

5. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56042
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-unauthenticated-sql-injection-vulnerability
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-56047
[5] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-sql-injection-vulnerability
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-56039
[7] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-7-7-unauthenticated-sql-injection-vulnerability
[8] https://nvd.nist.gov/vuln/detail/CVE-2024-56041
[9] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-5-1-sql-injection-vulnerability
[10] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[11] https://asec.ahnlab.com/ko/85311/