CVE 2023–23490 — Survey Maker Wordpress Plugin < 3.1.2 — Subscriber+ SQLi

22 min readJul 3, 2023

The Survey Maker WordPress Plugin, version < 3.1.2, is been discovered by an authenticated SQL injection vulnerability in the ‘surveys_ids’ parameter of its ‘ays_surveys_export_json’ action.

What is Survey Maker ?

SurveyMaker is a WordPress plugin helps WordPress developers t to create, distribute, and analyze surveys. It provides a user-friendly interface and a range of features to design surveys, collect responses, and gain insights from the data.

Survey-Makers is commonly used for various purposes, including:

Market Research
Customer Feedback
Employee Surveys
Academic Research
Event Planning
Non-profit and Government Surveys

Survey Maker offers a variety of question types, customizable survey templates, survey logic and branching, response validation, and data analysis tools. It provides options to distribute surveys via email invitations, social media, embedded links, or website pop-ups. The collected data can be analyzed using built-in reporting features or exported for further analysis.

Why Wordpress Developer use it ?

It can be multiple reasons why WordPress developers will use survey maker in their organization , some of them I can think can be :

Consistent Branding
Data Management
Audience Engagement
Flexibility and Customization
Integration with other WordPress Feature

Build the Lab:

Pre-requisite for the Lab

Now a days everyone is working on micro-service architecture so why not us so you need a docker 😈
Docker Downloads , select your appropriate OS and setup docker in your machine:
https://www.docker.com/products/docker-desktop/
Debugging tool
For this POC I have been using VSCODE (Visual Studio Code) for Debugging the code and analysis, please select your desired IDE but if you want to use VSCODE like me please download it from : https://code.visualstudio.com/download

Lab-Setup :

Assuming that you have docker installed and working , let’s continue with the lab setup

Create a working folder at your desired location in your local machine like I created with the below command

mkdir security-research
cd security-research
mkdir cve-2023-23490

NOTE: I have a bad habbit of creating a subfolder under main folder
 with the cve which I analyse.cve-<cve-number>So now my directory hierarchy looks like below

Once the working desired folder is created move to the security-research folder and create a docker-compose.yml file under security-research folder

version: "3"
# Defines which compose version to use 
services:
  # Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image. 
  db:
    image: mysql:5.7
  # image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation. 
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD 
      MYSQL_DATABASE: MyWordPressDatabaseName 
      MYSQL_USER: MyWordPressUser 
      MYSQL_PASSWORD: Pa$$5w0rD

  wordpress: 
    depends_on:
      - db
    build: .
    restart: always
    # Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immed 
    ports:
      - "8000:80"
    # The previous line defines the port that the WordPress container will use. After successful installation, the full path will lo 
    environment:
      WORDPRESS_DB_HOST: db:3306 
      WORDPRESS_DB_USER: MyWordPressUser 
      WORDPRESS_DB_PASSWORD: Pa$$5w0rD 
      WORDPRESS_DB_NAME: MyWordPressDatabaseName
  # Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly 
    volumes:
      - ./cve-2023-23490:/var/www/html
volumes:
  mysql: {}

I would have loved to explain docker-compose.yml file above , but It will make make document lengthy so let me give a short little summary the above docker compose file will create mysql service along with wordpress at docker container daemon.
Once the docker-compose.yml file is created , create a one more file name it as Dockerfile with below content :

FROM php:8.0.0-apache

RUN docker-php-ext-install mysqli

Once both the files (docker-compose.yml and Dockerfile)are created , use docker compose up command mentioned below to create wordpress and mysql services container:

NOTE : Make sure you are in security-research folder or in the directory where your Dockerfile and docker-compose.yml file is available. Once that confirmed run below command to bring wordpress and mysql container running docker compose up or docker compose up -d The -d flag in the docker-compose up -d command stands for "detached" mode.

To verify the docker container and WordPress is running check with

docker container ls

The command must list the wordpress and mysql container running on port mentioned in the docker-compose.yml file.

The other way to verify that the WordPress is running please navigate to : http://localhost:8000/

Expected output :

🎉 Congratulations ! you have installed WordPress successfully with mysql service

Background Story

In this Lab I will demonstrate how an authenticated user can exploit the vulnerability discovered in survey maker plugin by manipulating the ‘surveys_ids’ parameter and injecting malicious SQL code into the plugin’s database queries. This will lead anyone to unauthorized access, modification, or extraction of sensitive data stored in the plugin’s database.

Vulnerability Reproduction:

After a successful installation of WordPress and Mysql service let’s setup the WordPress admin by following the step :

Select a Language to install the completion of wordpress in local machine

Signup with your details and Install WordPress plugin

Once the signup is completed please remember the username you have created as that’s the same user will be used to login to the WordPress

After signup please login to the WordPress sign-in page providing the credentials you created in last step for sign-up

Once you are logged in as a admin user install a vulnerable survey maker plugin click on Plugins link in WordPress admin dashboard board side bar:

Search for survey maker plugin typing the survey maker search keyboard .

Once you located the survey maker plugin don’t click the install button otherwise patched and updated survey maker plugin will be downloaded we need the vulnerable version so instead install please click More Details link .

Once you click on More Details link it will redirect you to the WordPress official plugins website there you will see Survey Maker plugin selected already , just scroll down the website and select advance view:

Scroll down to Development Version dropdown menu select the version 3.1.1 or older and click Download button next to the dropdown

Click Download button next to DropDown

Download Button will download the particular version zip file at local , click on Plugins tab again from WordPress admin panel

Click the Upload Plugin button on the top and select the newly downloaded survey-maker zip file and click Install Now

Once uploaded click Install Now button to install survey-maker , Once installed successfully you will see Survey Maker plugin in your WordPress admin dashboard

If you click Survey Maker you will notice that there is already a default survey available with some Shortcode , sys_survey_id=1 Copy the Shortcode

Click to Posts tab from side bar of the Dashoard and you can see all posts there , there will be some default posts available like Hello world!

Click the Posts title hyperlink to edit the Hello world! post , and click the + icon in the post.

When you click + you will see Shortcode as the option , please enter the Shortcode copied in step 9 above (Survey Maker Shortcode).

Once That’s done click the update button

On the Hello world! blog you can also click Preview button on the top to take a look how the post will view like

Once Hello world! post is updated go back to WordPress admin dashboard and create a new user with subscriber role

Click Users tab from Dashboard side bar and Click on Add New link

Fill up the user details and click Add New User

Verify user creation from Users side bar link in WordPress admin Dashboard

Once the user creation is verified , newly created user with subscriber role can view the Hello world! post created in our previous steps .

Keeping the same user as logged in ,

Please copy the below link and paste it in the browser ,

observe the outcome :http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1

Let’s compose the SQL Command time base Injection command and paste in the url and see if that works we will use default sleep method to delay the response :

http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1 )+AND+(SELECT+1+FROM+ (SELECT(SLEEP(10)))a) — +-

SQL Injection Command BreakDown

http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1 )+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+ is attempting to exploit a SQL injection vulnerability in the 'ays_surveys_export_json' action of the WordPress plugin.

In this case, the URL is structured to modify the behavior of the SQL query executed by the plugin. The ‘surveys_ids’ parameter is being manipulated to include additional SQL code. Let’s break down the URL:

http://localhost:8000/wp-admin/admin-ajax.php is the URL of the WordPress admin-ajax.php file, which handles AJAX requests in the WordPress backend.
action=ays_surveys_export_json specifies the action parameter, indicating that the 'ays_surveys_export_json' action of the plugin should be triggered.
surveys_ids[0]=1 sets the 'surveys_ids' parameter to 1, indicating that the survey with ID 1 should be targeted.

The interesting part comes after the ‘surveys_ids[0]=1’ parameter:

)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+ is appended to the URL. This is a SQL injection attempt to modify the behavior of the SQL query executed by the plugin.
The )+AND+( part is used to add additional conditions to the query.
SELECT+1+FROM+(SELECT(SLEEP(10)))a is a subquery that attempts to induce a delay of 10 seconds (via the SLEEP function) in the query execution. This is often used to test for SQL injection vulnerabilities and determine if the server is vulnerable to time-based attacks.
-+ is a comment delimiter used to comment out the rest of the original SQL query, effectively nullifying it.

In short the provided URL is trying to exploit the ‘ays_surveys_export_json’ action of the WordPress plugin by injecting malicious SQL code to manipulate the query execution and induce a delay. This attack is attempting to confirm the presence of a SQL injection vulnerability in the plugin and delay in the response did confirmed the same.

Debugging Details

Let’s understand why did that happened and dig more

So to debug the issue I made some changes to the Dockerfile , docker-compose.yml file and used my lovely VSCODE (visual studio code) to statically analyze the code and see what might not worked properly for survey maker plugin.

To use VSCODE as a debugger , I installed a plugin named as Xdebug , to install the Xdebug plugin click the Run tab in VSCODE IDE and select Install Additional Debuggers

As I have already installed which is the reason you can see it says disable , if you are doing it first time you need to install the PHP debugger from xdebug

Once the PHP debugger is installed we need to create the .vscode directory in security-research folder and the launch.json file inside that directory basically they are used to configure the debugging environment for PHP applications using Xdebug in Visual Studio Code (VS Code).

launch.json file content looks like below

{
    // Use IntelliSense to learn about possible attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Listen for Xdebug",
            "type": "php",
            "request": "launch",
            "pathMappings": {"/var/www/html": "${workspaceRoot}/cve-2023-23490"},
            "port": 9003,
            "log": true,
            
        }
    ]

NOTE: EXPLAINING THE NEED OF .VSCODE and launch.json file

.vscode Directory: The .vscode directory is a hidden directory 
that is automatically recognized by VS Code as the workspace-specific 
configuration directory. It allows you to define settings and configurations
 specific to your project.**launch.json File**: Inside the .vscode directory, the launch.json 
file is used to configure the debugging launch configurations for 
your PHP application. It specifies how the debugger should start 
and attach to your application when you initiate a debugging session.**Debugging PHP with Xdebug**: Xdebug is a powerful PHP extension
 that provides debugging and profiling capabilities. To debug PHP 
code using Xdebug, you need to configure your PHP runtime to enable 
Xdebug and set up the necessary connection between Xdebug and your 
IDE (in this case, VS Code).**Xdebug Listening on Port 9003**: The choice of port for Xdebug 
to listen on (e.g., 9003) is a configuration option. By default, 
Xdebug listens on port 9003, but in some cases, that port might
already be used by other services. Therefore, to avoid conflicts, 
you can specify a different port for Xdebug to listen on.

We also need a php.ini file as well, php.ini configuration file specifically tailored for Xdebug , keep the file under security-research folder

[xdebug]
zend_extension=xdebug.so
xdebug.mode=debug
xdebug.client_host=host.docker.internal
xdebug.client_port=9003
xdebug.discover_client_host=yes
xdebug.remote_cookie_expire_time=3600
xdebug.log=/tmp/xdebug.log
xdebug.discover_client_host=0
xdebug.idekey=VSCODE

Once we have the .vscode , launch.json and php.ini file available at security-research directory created initially , we need to modify Dockerfile and docker-compose.yml file as well to allow Xdebug to work properly

Update the Dockerfile file with below command

FROM php:8.0.0-apache

RUN docker-php-ext-install mysqliARG XDEBUG_INI="/usr/local/etc/php/conf.d/xdebug.ini"RUN pecl install xdebug && docker-php-ext-enable xdebug

The mentioned commands in the Dockerfile are used to install and enable Xdebug for PHP in a Docker container.

Similarly we also need to update the docker-compose.yaml file as well to allow debugging , so update the docker-compose.yaml file :

version: "3"
# Defines which compose version to use 
services:
  # Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image. 
  db:
    image: mysql:5.7
  # image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation. 
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD 
      MYSQL_DATABASE: MyWordPressDatabaseName 
      MYSQL_USER: MyWordPressUser 
      MYSQL_PASSWORD: Pa$$5w0rD

  wordpress: 
    depends_on:
      - db
    build: .
    restart: always
    # Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immed 
    ports:
      - "8000:80"
    # The previous line defines the port that the WordPress container will use. After successful installation, the full path will lo 
    environment:
      XDEBUG_CONFIG: remote_host=host.docker.internal
      WORDPRESS_DB_HOST: db:3306 
      WORDPRESS_DB_USER: MyWordPressUser 
      WORDPRESS_DB_PASSWORD: Pa$$5w0rD 
      WORDPRESS_DB_NAME: MyWordPressDatabaseName
  # Similar to MySQL image variables, the last four
  # lines define the main variables needed for the WordPress 
  # container to work properly , Copying the Xdebug setting file in /usr/local/etc/php/php.ini container 
    volumes:
      - ./cve-2023-23490:/var/www/html
      - ./php.ini:/usr/local/etc/php/php.ini
volumes:
  mysql: {}

Once all files mentioned above updated for Xdebug , restart the services by using below command

# Docker compose down will bring the service down and 
# --volumes flag will remove the Docker volumes associated with the services defined in your Docker Compose file.

docker compose down --volumes
After the changes made for Xdebug services run docker compose up -d

Once the services are running up again let’s put the breakpoint in the code from VSCODE , How to put breakpoint in VSCODE:

Select the php file where you want to put the breakpoint

In our case the action is being called from admin-ajax.php file and Issue occurs when a authenticated user calls an action ays_surveys_export_json so I kept the breakpoint in the same file , placing a breakpoint is easy in VSCODE just click on the line number where you want to put the breakpoint and select run and select start debugging or after a breakpoint settled you can simply press f5 from the keyboard and debugging will be started:

Once we started the debugging you can see whenever admin-ajax.php file is invoked the breakpoints stopped for review of the code , there is a debugger view bar appears automatically

Continue Button:

2. Step Over

Step in and Step Out

Restart and Stop

Continue: This action allows the program execution to continue 
without interruption until the next breakpoint is encountered. 
It is useful when you want to skip over certain sections of code 
and continue debugging from a specific point.
Step Over: Step Over allows you to execute the current line of 
code and move to the next line. If the line contains a function call, 
it will execute the entire function and return to the next line in the 
current scope. It's helpful for quickly moving through code without 
diving into the details of function calls.
Step In: Step In is used to step into a function call. If the 
current line contains a function call, the debugger will enter the 
function and pause at its first line, allowing you to debug the 
function's internal code. It's useful for closely examining how a 
function behaves and finding any issues within it.
Step Out: Step Out is used to quickly move out of the current 
function being debugged. If you're currently inside a function, 
this action will execute the remaining lines of the function and 
pause at the line where the function was called. It helps in 
bypassing the detailed execution of the function and focusing 
on the calling code.
Restart: Restarting the debugger means resetting the debugging process. 
It clears all breakpoints and variables, and the program starts running 
from the beginning. This action is useful when you want to retest a 
particular section of code or start the debugging process afresh.
Stop: The Stop action terminates the debugging session completely. 
It halts the execution of the program and closes the debugger interface. 
It is used when you want to end the debugging process and continue
normal program execution.
All the variables and current running values is visible in the page , we have watch as well where we can place set of variables , functions which we wanted to keep an eye on

Example:

As I logged in as subscriber user , subscriber login details are appearing while doing the debug of the code

I changed the action to ays_surveys_export_json to monitor the action and see which function is being called in survey-maker plugin:

Action been set to :

After checking particular user is logged in or not, it will trigger the wp_ajax_action as being the subscriber user logged in already this will pass on to the action :

Digging Deeper to analyze the code:

if ( is_user_logged_in() ) {: This line checks if the user is logged in or authenticated. The is_user_logged_in() function returns true if the user is logged in and false otherwise.

if ( ! has_action( "wp_ajax_{$action}" ) ) {: This line checks if there is a registered action for the current AJAX request. It uses the has_action() function to check if any callbacks are registered for the specific action.

"wp_ajax_{$action}" is a dynamic hook name formed by concatenating the "wp_ajax_" prefix with the value of the $action variable. This allows WordPress to identify and execute the corresponding callback function for the AJAX action.

wp_die( '0', 400 );: If no action is registered for the requested AJAX action, this line will be executed. It calls the wp_die() function to display an error message and terminate the script execution.

The '0' parameter passed to wp_die() represents the response content, which in this case indicates an error.
The 400 status code passed as the second parameter indicates a Bad Request response, indicating that the request was malformed or invalid.

As these information was not quite enough to locate where is the actual culprit, so I stepped in under has_action method

I did step in to monitor it more closely for has_action()

The **`has_action()`** function is a helper function in
 WordPress that checks if any callbacks are registered 
for a specific action hook. Here's what the code does:
1. The **`has_action()`** function accepts two parameters: **`$hook_name`** 
and **`$callback`** (optional).
2. It internally calls the **`has_filter()`** function, passing 
the **`$hook_name`** and **`$callback`** parameters to it.
3. The **`has_filter()`** function is a core WordPress function
 that checks if any callbacks are registered for a specific filter 
or action hook. It returns **`true`** if at least one callback is 
registered, and **`false`** otherwise.
4. By calling **`has_filter()`** and passing the **`$hook_name`** 
and **`$callback`** parameters to it, the **`has_action()`** 
function effectively checks if any callbacks are registered for
 the specified action hook.
5. Finally, the **`has_action()`** function returns the result 
of **`has_filter()`**, indicating whether there are callbacks 
registered for the given action hook (**`$hook_name`**).
In summary, the **`has_action()`** function is a convenient 
wrapper around the **`has_filter()`** function that specifically
 checks if there are any callbacks registered for an action hook. 
It helps determine if any actions have been hooked to a particular hook name.

As the has_action() did not justified the actual call , so I stepped more in and identified a function apply_filter() inside a class class-wp-hook.php is setting the $callback to survey-maker and function named as ays_surveys_export_json

and the call_user_func_array( $the_[‘function’], $args ); which is in class-wp-hook.php is the one which was calling the function

And finally we discovered the culprit and time for Static Analysis what’s wrong in the code , we discovered this function is available in class-survey-maker-admin.php file so we placed our breakpoint there directly now to analyze the code in next step.

Static Code Analysis

After we reached to the file where the culprit code was available:

I copied the function code to do the analysis

Vulnerable code

 //--------------------- Xcho Survey export ------------------------------    public function ays_surveys_export_json() {
        global $wpdb;        $surveys_ids = isset($_REQUEST['surveys_ids']) ? array_map( 'sanitize_text_field', $_REQUEST['surveys_ids'] ) : array();
        $surveys_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'surveys';
        $survey_category_table = $wpdb->prefix. SURVEY_MAKER_DB_PREFIX . "survey_categories";
        $questions_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX. 'questions';
        $questions_category_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'question_categories';
        $answers_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'answers';
        $sections_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'sections';
        if(empty($surveys_ids)){
            $where = '';
        }else{
            $where = " WHERE id IN (". implode(',', $surveys_ids) .") ";
        }
        $sql_survey_categories = "SELECT * FROM ".$survey_category_table;
        $survey_categories = $wpdb->get_results($sql_survey_categories, 'ARRAY_A');
        $survey_all_categories = array();
        foreach ($survey_categories as $survey_categories_key) {
            $survey_all_categories[$survey_categories_key['id']] = $survey_categories_key['title'];
        }
        $sql_surveys = "SELECT * FROM ".$surveys_table.$where;
        $surveys = $wpdb->get_results($sql_surveys, 'ARRAY_A');
        $data = array();
        $data['ays_survey_key'] = 1;
        $data['surveys'] = array();
        foreach ($surveys as $survey_key => &$survey) {
            $questions_id = trim($survey['question_ids'], ',');
            $survey_cat_ids = explode(',' , $surveys[$survey_key]['category_ids']);
            foreach ($survey_cat_ids as $survey_cat_key) {
                $surveys[$survey_key]['survey_categories'][$survey_cat_key] = $survey_all_categories[$survey_cat_key];
            }
            unset($survey['id']);
            unset($survey['category_ids']);
            if(empty($questions_id)){
                $survey["questions"] = array();
            }else{
                $sql_sections = "SELECT id,title,ordering FROM ".$sections_table." WHERE id IN (". esc_sql( $survey['section_ids'] ) .")";
                $sections = $wpdb->get_results($sql_sections, 'ARRAY_A');
                $sql_question_cat = "SELECT * FROM ".$questions_category_table;
                $questions_categories = $wpdb->get_results($sql_question_cat, 'ARRAY_A');
                $categories = array();
                foreach ($questions_categories as $question_key) {
                    $categories[$question_key['id']] = $question_key['title'];
                }
                $sql_questions = "SELECT * FROM ".$questions_table." WHERE id IN (". esc_sql( $questions_id ) .")" ;
                $all_questions = $wpdb->get_results($sql_questions, 'ARRAY_A');
                $cat_ids = '';
                foreach ($all_questions as $key => &$question) {
                    $all_questions[$key]['answers'] = $this->get_question_answers($question['id']);
                    $cat_ids = explode(',' , $all_questions[$key]['category_ids']);
                    foreach ($cat_ids as $cat_key) {
                        $all_questions[$key]['question_categories'][$cat_key] = $categories[$cat_key];
                    }
                }
            }
            $survey['sections'] = $sections;
            $survey['questions'] = $all_questions;
        }        
            $data['surveys'] = $surveys;        $response = array(
            'status' => true,
            'data'   => $data,
            'title'  => 'surveys-export',
        );
        echo json_encode($response);
        wp_die();
    }

The Flaw in the code:

Assumption Might be:

I think developer must have said look I have the sanitization for survey_ids available so we are good and safe from SQL Injection 🙊

$surveys_ids = isset($_REQUEST['surveys_ids']) ? array_map( 'sanitize_text_field', $_REQUEST['surveys_ids'] ) : array();

Truth:

The sanitization performed by sanitize_text_field() is not designed to handle SQL injection attacks. It primarily focuses on removing or escaping characters that could cause issues when displaying the input on a webpage, such as HTML tags or special characters. So even with the sanitization, the code is still vulnerable to SQL injection.

Demo How ?

So let’s open the admin-ajax.php page again and in action provide the function name and and under surveys_id[0]= pass this value 1 )+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+

To monitor it closely I placed a breakpoint in the ays_surveys_export_json method and kept surveys_ids under watch window

So some default URL encoding might replaced our + by space 🙈😃

And sanitize_text_field did not do anything specific and just moved to the next line as you can see in below watch window

Now as the survey_ids are not empty the command get concatenated with where clause

After a concatenation the final version of the command became :

SELECT * FROM wp_ayssurvey_surveys WHERE id IN (1) AND (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- -)

SELECT * FROM wp_ayssurvey_surveys: This part of the 
query selects all columns (*) from the table named wp_ayssurvey_surveys. 
It is the main part of the query that fetches data from the table.

WHERE id IN (1): This condition filters the results based on the id column.
 In this case, it specifies that only rows with an id value of 1 should
 be included in the result.AND (SELECT 1 FROM (SELECT(SLEEP(10)))a): This is an injected subquery. 
It attempts to execute a SELECT statement with a SLEEP(10) function call. 
The purpose of the SLEEP() function is to introduce a delay in the query 
execution. In this case, it pauses the execution for 10 seconds.-- -: This is a comment used to bypass any remaining part of the original
 query. It effectively comments out the rest of the query to avoid syntax 
errors.

How the Attacker would abuse this ?

So the injected subquery is an example of a time-based blind SQL injection attack. By manipulating the input, we tried to delay the response from the database server, which was an indication of a successful injection.

Data Manipulation: Attackers can modify or delete data within the database, altering the integrity of the application. This can result in data loss, corruption, or manipulation of important records.
Privilege Escalation: By injecting specific SQL statements, an attacker may attempt to escalate their privileges within the system. For example, they can try to elevate their user privileges to gain administrative access or execute commands with higher privileges.
Database Takeover: Exploiting SQL injection vulnerabilities, attackers can potentially gain control over the entire database server. They can execute arbitrary SQL commands, create new database accounts, modify database schemas, or even execute commands on the underlying operating system.
Denial of Service (DoS): Attackers can use SQL injection as a means to launch DoS attacks by crafting malicious queries that consume excessive server resources, leading to performance degradation or server unavailability.
Remote Code Execution: In some cases, SQL injection vulnerabilities can allow attackers to execute arbitrary code on the server. This can lead to complete compromise of the server and allow the attacker to execute any commands or scripts within the server’s environment.

Patch Diffing

The impacted file **class-survey-maker-admin.php** where the code available in the vulnerable version < 3.1.2 has a function ays_surveys_export_json and In the patched code Survey Maker just removed the code for the patch.

By removing the ays_surveys_export_json function, the survey maker eliminates the immediate risk associated with the vulnerable code. This prevents attackers from exploiting the SQL injection vulnerability through that specific entry point.

However, it’s important to note that simply removing the vulnerable function may not be sufficient to fully patch the vulnerability. As the entry point may change but vulnerability might can exist.

MITIGATION:

As this is the plugin issue so Survey Maker created a new release in which they removed the code from the file and the vulnerable function doesn’t exists in the releases , so an upgrade to the version 3.1.2 and above will resolve the issue.

Final Thoughts:

I think the problem id un-awareness or not much knowledge of security ,I think developers needs to understand and follow secure coding practices, such as using secure coding guidelines, avoiding dynamic SQL queries whenever possible, and conducting code reviews to

identify and fix potential vulnerabilities.They need to ensure that development team is aware of the risks associated with SQL injection and educated on secure coding practices.

Regularly train and update developers on the latest security best practices to maintain a proactive security posture.And also Perform regular security testing, including vulnerability

assessments and penetration testing, to identify and mitigate SQL injection vulnerabilities. Automated tools and manual code reviews can also help identify potential issues.