{"id":632,"date":"2015-09-24T16:29:23","date_gmt":"2015-09-24T16:29:23","guid":{"rendered":"\/?p=632"},"modified":"2015-09-24T16:29:23","modified_gmt":"2015-09-24T16:29:23","slug":"analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/","title":{"rendered":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability"},"content":{"rendered":"<p><em>By:\u00a0<a href=\"http:\/\/nsfocusblog.com\/2015\/09\/18\/junli-shen\/\">Junli Shen<\/a>, Network Offensive and Defensive Researcher, NSFOCUS<\/em><\/p>\n<p><strong>Analysis of Core WordPress SQL Injection Vulnerability<\/strong><\/p>\n<p>As a Threat Response Center (TRC) researcher, I conducted a thorough analysis on the \u201cCore WordPress SQL Injection Vulnerability\u201d (CVE-2015-5623 and CVE-2015-2213).<\/p>\n<p><strong>Vulnerability Overview<\/strong><\/p>\n<p>Previously, I read a tweet about the SQL injection vulnerability found in the core function of WordPress. I was curious and tried to dig the code but only found that the author of the tweet exaggerated its severity. It is true that the application is prone to an injection vulnerability, which, however, can never be triggered by a low-privilege user like \u201cSubscriber\u201d as claimed by the author in his tweet.<\/p>\n<p>This series of blog posts concerning this vulnerability found in WordPress currently consists of two parts: One is about how to write a post marked as trash by a user with Subscriber permissions by bypassing access restrictions, and the other is about how to exploit this SQL injection vulnerability. Phithon from TRSC had explained the two vulnerabilities in his recent article. However, I would like to describe in more details regarding how the two vulnerabilities formed and how they were exploited as well as other details that had not been mentioned by Phithon.<\/p>\n<p><strong>1 Article Submissions by Using Escalated Privilege<\/strong><\/p>\n<p><strong>Retrieval of _wpnonce<\/strong><\/p>\n<p>First of all, let\u2019s get to know how the _wpnonce parameter is used in the WordPress\u2019 backend. The parameter is a token used to protect against cross-site request forgery (CSRF) attacks. Most sensitive functions in the backend generate tokens based on the current user information, function name, and operation object ID. Therefore, these functions can hardly work without tokens. The CSRF protection mechanism indirectly makes it almost impossible for a low-privilege user to trigger the SQL injection vulnerability as no token is visible. I will explain more in details in the other follow sections.<\/p>\n<p>The reason we need to talk about _wpnonce first is that we need a token that can be tampered with. This token can be retrieved from post-quickdraft-save in post.php in the backend. Strictly speaking, this method of retrieving tokens is an information disclosure vulnerability, which has been fixed by the vendor in the latest version. Here are the reasons that how this token can be disclosed. A section of code is as follows:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code1.jpg\"><img fetchpriority=\"high\" decoding=\"async\" class=\" wp-image-5588 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code1.jpg?w=539&amp;h=175\" alt=\"code1\" width=\"539\" height=\"175\" \/><\/a>From the preceding code, we can see that this function, when finding an error, prints related error information via the wp_dashboard_quick_press function. There is a line in the code on the page generated by this function:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code2.jpg\"><img decoding=\"async\" class=\" wp-image-5589 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code2.jpg?w=545&amp;h=23\" alt=\"code2\" width=\"545\" height=\"23\" \/><\/a><\/p>\n<p>A _wpnonce with the add-post function is generated. Therefore, even if we perform certain prohibited operations, the _wpnonce still appears on the return page.<\/p>\n<p><strong>Submission with Escalated Privilege and Race Condition<\/strong><\/p>\n<p>In Phithon\u2019s article, it said that authentication bypass vulnerability exists due to the chaotic GET\/POST logic. Let\u2019s see the following code in post.php to checkwhethera post exists.<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code3.jpg\"><img decoding=\"async\" class=\" wp-image-5590 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code3.jpg?w=536&amp;h=173\" alt=\"code3\" width=\"536\" height=\"173\" \/><\/a><\/p>\n<p>Obviously, post information is obtained first by extracting the post ID from the \u201cpost\u201d parameter in GET. If this parameter was unavailable, then the post_ID parameter in POST was extracted. Note that the check on whether a user has the permission to edit the post is conducted in edit_post with the parameter extracted from POST:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5591 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code4.jpg?w=539&amp;h=302\" alt=\"code4\" width=\"539\" height=\"302\" \/><\/a><\/p>\n<p>The \u201cif\u201d decision at the bottom of this section of code shows that whether the current user is permitted to edit the post. The final operation for this decision is performed in map_meta_cap:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code5.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5592 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code5.jpg?w=540&amp;h=104\" alt=\"code5\" width=\"540\" height=\"104\" \/><\/a><\/p>\n<p>It is evident that if the post does not exist, this breaks the switch and the $caps variable is returned when the function ends. However, $caps is defined as an empty array when the function begins, so the array returned here is also empty. Now let\u2019s return to the has_cap function that calls map_meta_cap to see subsequent operations:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code6.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5593 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code6.jpg?w=545&amp;h=275\" alt=\"code6\" width=\"545\" height=\"275\" \/><\/a><\/p>\n<p>The foreach statement in line 20 checks whether all elements in $caps exist in $capabilities. If there is any missing in $capabilities, the result is \u201creturn false\u201d. However, as $caps is an empty array, we can easily obtain a \u201creturn true\u201d result, thus successfully bypassing permission checks. Now we know that we can try to update a nonexistent post by exploiting this flaw.<\/p>\n<p>However, the problem is that it is meaningless to update a nonexistent post because the database will definitely report an error when executing SQL statements. Then how can we successfully create a post?<\/p>\n<p>Between the permission check and the database\u2019s execution of SQL statements, the following code exists in post.php:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code7.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5594 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code7.jpg?w=543&amp;h=284\" alt=\"code7\" width=\"543\" height=\"284\" \/><\/a><\/p>\n<p>If an array named tax_input exists in POST, values in the parameter are separated with commas. For each separated value, a \u201cselect\u201d query is performed. Imagine what would happen when we used the ID of the latest post + 1 as the current post_ID and add a lot of information in tax_input. This would cause repeated \u201cselect\u201d queries. At this time, we can insert a post (whose ID is the ID of the latest post + 1) and now the subsequent update operation becomes quite meaningful.<\/p>\n<p>Here comes the last question: How can we insert a post? Anyone still remember the function of post-quickdraft-save? It can be used to quickly save a draft.<\/p>\n<p>The following is an image taken from Phithon\u2019s article which could familiarised with the process.<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/race_condition1.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5595 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/race_condition1.png?w=520&amp;h=393\" alt=\"Race_Condition1\" width=\"520\" height=\"393\" \/><\/a><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>What the preceding debugging impresses me the most is race condition, which is how to insert and update a post at an appropriate time. If it was an early insertion of the post, it would cause the user to fail the permission check. When it was a late insertion, it would make the update operation meaningless. According to my experience, I would suggest to leave as long time as possible for the process to complete permission checks and to put as much information as possible in tax_input. Therefore you can successfully insert a post between the permission check and the database\u2019s execution of SQL statements.<\/p>\n<p>There is also another factor that needs to be considered. Each user can save only one draft. The vulnerability reporter suggests waiting for a week for the draft to be automatically deleted. Luckily, _wpnonces can be stored for one more day, which allowing us to retrieve a _wpnonce a day before the expected deletion date. Phithon provides a better suggestion which is to use two accounts, one for inserting a post and the other for updating the post.<\/p>\n<p>Privilege escalation vulnerability consists of three flaws: information disclosure, permission check bypass, and program execution time manipulation, which are closely linked with each other.<\/p>\n<p><strong>2 SQL Injection Vulnerability<\/strong><\/p>\n<p><strong>Revision Trick<\/strong><\/p>\n<p>The vulnerability reporter first mentioned in his article a trick regarding revisions, which explains how further attacks are launched after a post is written with escalated privileges. However, as the reporter did not explain this trick thoroughly, it is impossible to trigger the SQL injection vulnerability with a subscriber account in which the trick also wasn\u2019t mention in Phithon\u2019s article. Here, I would like to explain how this trick works.<\/p>\n<p>The following is an excerpt from the vulnerability reporter\u2019s article:<\/p>\n<p><em>\u201cRevisions are records of drafts or published updates to any post. Internally, WordPress implements revisions as complete posts and stores them in the posts database table with \u2018post_type\u2019 set to \u2018revision\u2019. Each revision has a \u2018post_parent\u2019 field, pointing to the original post the revision is based on.<\/em><\/p>\n<p><em>When attempting to edit a revision, the validation check is actually made following the \u2018post_parent\u2019 pointer, instead of the revision itself. Turns out, this provides the unique property we were after; if we create a child revision in addition to our original post, we can set its status to anything other than \u2018trash\u2019, while keeping the original post in the trash.<\/em><\/p>\n<p><em>Using this trick, we can edit this \u2018puppet revision\u2019 and freely add comments, while the original trashed post in the one being checked to allow our actions.\u201d<\/em><\/p>\n<p>Based on the preceding sections about the write of a post with escalated privileges, we can see that the author described this trick for the purpose of editing the revision of the trashed post and manipulating comments on this post. This is because a post, even if submitted by the current Subscriber user, cannot be edited by this user, while the revision can. Therefore, according to the reporter, we can use this trick to continue subsequent operations.<\/p>\n<p><strong>Cause of the Vulnerability<\/strong><\/p>\n<p>This vulnerability is, in nature, second-order SQL injection, which occurs because comments of a post are restored together with the trashed post and the comment restoring code contains directly spliced contents that are user-controllable. The following is the code in question:<\/p>\n<p><a href=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-5597 aligncenter\" src=\"https:\/\/nsfocusblog.files.wordpress.com\/2015\/09\/code.jpg?w=520&amp;h=352\" alt=\"code\" width=\"520\" height=\"352\" \/><\/a><\/p>\n<p>From the code, we can see that the $status and $comments values are spliced into the SQL statement and they can be manipulated by users. User-supplied data is stored in the database after being sanitized. Then such data can be directly taken from the database and spliced into the SQL statement. Therefore, if the attack statement is restored when extracted from the database, this is a standard second-order SQL injection.<\/p>\n<p><strong>Vulnerability Exploitation<\/strong><\/p>\n<p>After understanding the trick of revisions and the cause of the vulnerability, we find it quite easy to exploit this vulnerability:<\/p>\n<p>Step 1 Comment on a revision of a post.<\/p>\n<p>Step 2 Edit the comment status by inserting an injection attack statement.<\/p>\n<p>Step 3 Trash the revision.<\/p>\n<p>Step 4 Restore the original post of the revision.<\/p>\n<p>All seems to be normal. However, do you still remember the _wpnonce parameter I mentioned previously? Yes, that\u2019s it! The author did not say anything about how to retrieve this _wpnonce, which makes steps 1, 2, and 4 impossible to process.<\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>If you consider it a direct method to conduct a second-order injection by reading the stored content failing to be sanitized from the database, I believe that the author\u2019s idea of launching an attack by editing revisions of a trashed post will definitely wow you.<\/p>\n<p>The author claimed that the status of revisions could be set to anything other than \u201ctrash\u201d. However, according to my research analysis it is not true. The status of a post can be \u201cpublish\u201d, \u201cfuture\u201d, \u201cprivate\u201d, \u201cinherit\u201d, \u201cauto-draft\u201d, \u201cattachment\u201d, \u201cdraft\u201d, \u201cpending\u201d, or \u201ctrash\u201d. We can change the status of revisions only to \u201cinherit\u201d, \u201cpending\u201d, or \u201cdraft\u201d. If we could change the revision status to \u201cprivate\u201d, steps 1 and 2 would be able to be performed in the foreground.<\/p>\n<p><strong>3 Conclusions<\/strong><\/p>\n<p>Through analysis of this vulnerability, I realize that the token mechanism of WordPress is really effective, which can protect against not only CSRF but also other types of attacks.<\/p>\n<p>The logic of GET\/POST operations is determined by web code and tends to become chaotic, as is the case with the code of WordPress, especially when permission checks need to be performed.<\/p>\n<p>The second-order injection is an issue frequently talked about. It happens because some systems trust recorded data unconditionally and finally even forget that certain entries were actually written by users.<\/p>\n<p><strong>4 References<\/strong><\/p>\n<p>[1] Finding Vulnerabilities in Core WordPress: A Bug Hunter\u2019s Trilogy, Part I<\/p>\n<p>[2] Finding Vulnerabilities in Core WordPress: A Bug Hunter\u2019s Trilogy, Part II \u2013 Supremacy<\/p>\n<p>[3] Analysis of WordPress 4.2.3 Privilege Escalation and SQL Injection Vulnerability (CVE-2015-5623)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By:\u00a0Junli Shen, Network Offensive and Defensive Researcher, NSFOCUS Analysis of Core WordPress SQL Injection Vulnerability As a Threat Response Center (TRC) researcher, I conducted a thorough analysis on the \u201cCore WordPress SQL Injection Vulnerability\u201d (CVE-2015-5623 and CVE-2015-2213). Vulnerability Overview Previously, I read a tweet about the SQL injection vulnerability found in the core function of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":31888,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[3],"tags":[],"class_list":["post-632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"By:\u00a0Junli Shen, Network Offensive and Defensive Researcher, NSFOCUS Analysis of Core WordPress SQL Injection Vulnerability As a Threat Response Center\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-24T16:29:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"By:\u00a0Junli Shen, Network Offensive and Defensive Researcher, NSFOCUS Analysis of Core WordPress SQL Injection Vulnerability As a Threat Response Center\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability\",\"datePublished\":\"2015-09-24T16:29:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/\"},\"wordCount\":1863,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/qtq80-UzJDxW.jpeg\",\"articleSection\":[\"Blog\"],\"inLanguage\":\"pt-BR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/\",\"name\":\"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/qtq80-UzJDxW.jpeg\",\"datePublished\":\"2015-09-24T16:29:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/qtq80-UzJDxW.jpeg\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/qtq80-UzJDxW.jpeg\",\"width\":2160,\"height\":1440,\"caption\":\"Modern glass skyscrapers reflecting a blue sky in a city center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS","og_description":"By:\u00a0Junli Shen, Network Offensive and Defensive Researcher, NSFOCUS Analysis of Core WordPress SQL Injection Vulnerability As a Threat Response Center","og_url":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/","og_site_name":"NSFOCUS","article_published_time":"2015-09-24T16:29:23+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS","twitter_description":"By:\u00a0Junli Shen, Network Offensive and Defensive Researcher, NSFOCUS Analysis of Core WordPress SQL Injection Vulnerability As a Threat Response Center","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"9 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability","datePublished":"2015-09-24T16:29:23+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/"},"wordCount":1863,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","articleSection":["Blog"],"inLanguage":"pt-BR"},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/","url":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/","name":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","datePublished":"2015-09-24T16:29:23+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/11\/qtq80-UzJDxW.jpeg","width":2160,"height":1440,"caption":"Modern glass skyscrapers reflecting a blue sky in a city center."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/analysis-of-wordpress-sql-injection-and-privilege-escalation-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Analysis of WordPress SQL Injection and Privilege Escalation Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=632"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/632\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/31888"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}