At 10Web, our mission is to create a product that will help our clients increase productivity, extend the functionality of their websites and make their work more pleasant and effective. This is why we do everything to make sure our solutions combine functionality and aesthetics to enhance your experience with WordPress sites. 10Web AI Website Builder is the first and only website builder platform for WordPress that allows users to host and manage their sites. The goal of this platform is to have pixel perfect sites due to the easy-to-use drag-and-drop builder that runs on top of Elementor. Build you WordPress site on top of Elementor using 50+ premium 10Web plugins Automatically move your existing site to 10Web's superfast hosting with a single click; hosting powered by Google Cloud Connect your WordPress site to use backup, security, SEO, image optimization, performance services, and management features.
On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ active installations) was published by a researcher at Sun* Cyber Security Research. Not soon after this, we noticed an increase in SQL injection attacks against WordPress sites.
As you can see from the graph above, the attacks were spiking on May 16th at 10 PM and May 17th at 7 AM. At the time of the spike, the attack count raised as high as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th May the attacks started to lower ending with 2 attacks on the 17th at 12 AM.
Analysis Of The Attack
After an analysis, it seems that a malicious user is attempting to find sites that have a vulnerable version of this plugin installed. We found the POST payload below being sent 19 000 times against WordPress sites over a period of roughly 36 hours.
This payload seems to perform a basic UNION SQL injection attack which will attempt to inject different data into the result set of the query which the malicious user can use to determine if a vulnerable version of the plugin is, in fact, running on the site.
All requests were sent with the same user agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.
Multiple IP addresses were used in the attack, the top 10 are as follows:
- 104.131.54.12 – USA – DigitalOcean
- 92.53.66.50 – Russia – OOO Network of data-centers Selectel
- 54.36.181.42 – France – OVH SAS
- 54.36.197.5 – France – OVH SAS
- 51.83.70.152 – France – OVH SAS
- 51.178.9.174 – France – OVH SAS
- 54.38.38.128 – France – OVH SAS
- 37.17.168.148 – Hungary – Szervernet Ltd
- 192.254.68.134 – USA – Centrilogic
- 188.166.189.164 – Singapore – DigitalOcean
Analysis Of The Plugin
The payload above makes it clear that the issue resides in the wp_ajax_bwg_frontend_dataand wp_ajax_nopriv_bwg_frontend_data AJAX actions which both call a function frontend_data which calls a chain of other functions which ultimately ends up in the file that is vulnerable to SQL injection: /frontend/models/model.php.
In this file, there is a function called get_image_rows_datawhich uses the bwg_search_* parameter. From the payload used by the malicious user, we can see that it is in fact where the issue resides. Data from the user-provided bwg_search_* parameter was used directly in the SQL query which caused this SQL injection vulnerability to exist.
If we take a look at the differences between version 1.5.54 and 1.5.55 of the plugin here, you can see that the patched version contains the usage of the $wpdb->prepare function which mitigates the vulnerability.
10web
Timeline
10 Web
May 15th: Vulnerability was disclosed
May 15th: Vulnerability was patched in version 1.5.55
May 16th: Attacks detected against the vulnerability
10 Webinar Best Practices
If you’re concerned that your website might be hacked, please follow the WordPress malware removal guide or get fast professional help with our WordPress malware removal service.