php.wordpress-plugins.security.audit.wp-sql-injection-audit.wp-sql-injection-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like "$wpdb->prepare" properly or escape/sanitize the data properly.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wp-sql-injection-audit
    patterns:
      - pattern-either:
          - pattern: $wpdb->query(...)
          - pattern: $wpdb->get_var(...)
          - pattern: $wpdb->get_row(...)
          - pattern: $wpdb->get_col(...)
          - pattern: $wpdb->get_results(...)
          - pattern: $wpdb->replace(...)
      - pattern-not: $wpdb->prepare(...)
      - pattern-not: $wpdb->delete(...)
      - pattern-not: $wpdb->update(...)
      - pattern-not: $wpdb->insert(...)
    message: Detected unsafe API methods. This could lead to SQL Injection if the
      used variable in the functions are user controlled and not properly
      escaped or sanitized. In order to prevent SQL Injection, use safe api
      methods like "$wpdb->prepare" properly or escape/sanitize the data
      properly.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      confidence: LOW
      likelihood: LOW
      impact: HIGH
      category: security
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#sql-injection
        - https://owasp.org/www-community/attacks/SQL_Injection
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - SQL Injection

Examples

wp-sql-injection-audit.php

<?php

// ruleid: wp-sql-injection-audit
$result = $wpdb->get_var("SELECT meta_value FROM {$wpdb->prefix}table WHERE order_item_id = $order_item_id AND meta_key = $meta_key");

// ruleid: wp-sql-injection-audit
$get_question_options = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}table WHERE question_id = $id ", ARRAY_A);

// ok: wp-sql-injection-audit
$wpdb->prepare("SELECT $column FROM $this->table_name WHERE $this->primary_key = %d LIMIT 1;",(int) $row_id);



?>