SQL injection in Podlove?


I discovered the following entry in the error log of my web server. It appeared the 1st time yesterday at about 14h (CET). The log messages suggests that it is an SQL injection trial somehow related to PPP:

[Tue Nov 26 06:21:10.550567 2019] [php7:notice] [pid 22808] [client] WordPress-Datenbank-Fehler Unknown column 'wp_mu_9_podlove_episode.subtitle' in 'where clause' f\xc3\xbcr Abfrage SELECT wp_mu_9_posts.* FROM wp_mu_9_posts WHERE 1=1 AND (wp_mu_9_posts.ID = '0') AND (\n\t\t\t\n\t\t\t(\n\t\t\t\t(wp_mu_9_posts.post_title LIKE '%1%')\n\t\t\t\tOR\n\t\t\t\t(wp_mu_9_posts.post_content LIKE '%1%')\n\t\t\t\tOR\n\t\t\t\t(wp_mu_9_podlove_episode.subtitle LIKE '%1%')\n\t\t\t\tOR\n\t\t\t\t(wp_mu_9_podlove_episode.summary LIKE '%1%')\n\t\t\t\tOR\n\t\t\t\t(wp_mu_9_podlove_episode.chapters LIKE '%1%')\n\t\t\t)) AND (wp_mu_9_posts.post_password = '') AND wp_mu_9_posts.post_type = 'page' ORDER BY wp_mu_9_posts.post_title LIKE '%1%' DESC, wp_mu_9_posts.post_date DESC von require('wp-blog-header.php'), wp, WP->main, WP->query_posts, WP_Query->query, WP_Query->get_posts, referer: freeskippers.at

Any ideas?

I could track down this more specifically by using my test blog. The error message appears only if the Podlove Publisher Plugin is activated.
The message can be force by accessing the WP page with the following URL:

foo can be replaced with any other string.

No attack, just a (known) bug in the search logic: https://github.com/podlove/podlove-publisher/issues/1072

1 Like