WordPress Plugin StopBadBots is Vulnerable to SQL Injection

Photo of WordPress Website on Laptop

According to software vulnerability analyses released by Patchstack and WPScan, a WordPress plugin could potentially be vulnerable to cybercrime. The reports, dated November 15th, 2021 reveal that one of many plugins for WordPress, StopBadBots, contains a security flaw that could admit attacks from a malicious remote threat.

A Proof-of-Concept (POC) exploit also exists, translating to the fact that the vulnerability path works and can potentially be leveraged by cybercriminals for malicious purposes. According to Patchstack the flaw, “Can be exploited remotely without any authentication.”

About StopBadBots

StopBadBots is a WordPress plugin with over 10,000 active installations, supported by WordPress version 4.0 and above. Although the plugin is not nearly as popular as some of the top WordPress plugins such as Yoast, Jetpack, and Akismet that have recorded millions of installations, it is still used by a significant amount of users.

According to the plugin’s introduction web page, StopBadBots is a, “completely self-contained” plugin that stops, “Bad Bots, SPAM bots, Crawlers and spiders without DNS Cloud or API (EndPoint) Traffic Redirection.” Furthermore, the description of the plugin states that it will not cause site slow-downs, or incur Google penalties.

Some premium features of the plugin include the ability to block malicious traffic and spam from countries such as Cuba, North Korea, and China via a ready-made database of IP addresses. StopBadBots also offers banning, “SPAMMERS, CRAWLERS, SPIDERS, HACKERS AND BAD BEHAVIOR” as well as offering ‘anti-hacker protection.’

StopBadBots Plugin Security Flaw

Information from WPScan confirmed the presence of a POC, “The PoC will be displayed on November 29, 2021, to give users the time to update.”

The software vulnerability in the StopBadBots plugin (CVE-2021-24863) is type SQL Injection which allows a remote attacker to gain unauthorized access to the application. StopBadBots does not “sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection.” The attack can be launched remotely.

SQL Injection

An SQL Injection attack (SQLI) is a method used by cybercriminals most commonly to breach databases in an unauthorized manner, via automated programs. Several high-tier companies such as Equifax, Yahoo, Sony Pictures, and others were compromised as a result of an SQLI attack. SQLI attacks are not difficult for cybercriminals to orchestrate. According to Malwarebytes, “Cybersecurity researchers regard the SQLI as one of the least sophisticated, easy-to-defend-against cyberthreats.” Attacks leverage the decades-old SQL language (Structured Query Language) commonly used in managing online databases to, “enter malicious commands into web forms, like the search field, login field, or URL, of an unsecured website to gain unauthorized access to sensitive and valuable data.”

Vulnerable Software Versions

StopBadBots versions below 6.67 (6.66 and below) are vulnerable to the SQL injection security flaw.

Important User Information

Users need to know that this is a high-risk situation where a POC exists for the StopBadBots WordPress security plugin. An exploited plugin vulnerability could result in the compromise of websites, user devices as well as the wider network. For that reason, all users must update immediately to the fixed version of the StopBadBots plugin. Release 6.67 of the plugin can be downloaded here.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.