WordPress Plugin Hide My WP with SQL Injection Vulnerability

[German]One of the most popular "security" plugins for WordPress, Hide My WP, has just attracted negative attention due to a fat SQL injection vulnerability. Another bug allows an attacker to simply disable the plugin

Plugin Hide My WP

The Plugin Hide My WP is, according to the developers' self-promotion, the best-selling "security" plugin for WordPress. I put the little word "security" in quotes because the plugin is more of a snake oil and insecurity factor. The plugin promises to hide WordPress from attackers, spammers and theme detectors. The developer claims over 26,000+ satisfied customers.

Vulnerabilities and bugs in the plugin

I just came across a post by Daniel Ruf on Facebook in a private WordPress security group that points out the vulnerability. The folks at PortSwigger point out the severe vulnerabilities in the blog post WordPress security plugin Hide My WP addresses SQL injection, deactivation flaws.

In older versions of Hide My WP, there was a serious SQL injection vulnerability (SQLi) and a vulnerability that allowed unauthenticated attackers to disable the software. The bugs, which have since been patched, were discovered during a review of several plugins on a customer's website by Dave Jong, CTO of Patchstack, which protects WordPress websites from vulnerabilities and runs a bug-hunting platform targeted at WordPress.

The SQL injection vulnerability "is pretty severe," Jong told The Daily Swig. "It allows anyone to extract information from the database, there are no prerequisites. A tool like SQLmap could easily exploit this vulnerability."

The other vulnerability is less severe, but could lead to a malicious user continuing the exploitation of another vulnerability under the right conditions, Jong added. Both vulnerabilities are "very easy to exploit because they don't require any prerequisites," according to Jong.

Jong discovered the vulnerability, notified the plugin's developer, wpWave, and released a "virtual patch" for premium patchstack users on Sept. 29, 2021. After wpWave failed to respond, it alerted Envato, the operator of the codecanyon.net marketplace, on October 5. Within minutes, the plugin was promptly removed from the codecanyon.net marketplace. wpWave then fixed the bugs in version 6.2.4 of Hide My WP, released on October 26.