Wordfence, a security company focused on WordPress security, recently made available information on several vulnerabilities they discovered within the Tutor LMS plugin back in December 2020. Tutor LMS is a learning management system through WordPress, designed to create and sell courses online. Five SQL injection vulnerabilities were disclosed to Tutor LMS on December 15th, 2020. Although Wordfence received a quick acknowledgement by the plugin authors, Wordfence did not deem the vulnerabilities sufficiently remediated until February 16th, 2021 after several revisions to the plugin.
Overall, three different types of SQL vulnerabilities were discovered:
- UNION-based – One of the most common; Occurs when an additional SQL query can be added to the existing query performed by the application. With some trial and error, attackers could dump and view other tables directly through the website.
- Blind-based – Similar to UNION-based, but the server response can only be true or false. With this method, attackers must use additional queries to discover information one character at a time.
- Time-Based – Time-based injections return no information to the attacker. Using SQL functions like SLEEP(), it is possible to measure the response time of the query to determine if the result was successful. Similar to Blind-based, this must be done one character at a time.