How I Make Two SQL Injections Exploitable under the Magic Restricts in WordPress

I am writing this article to share two SQL injection vulnerabilities (SQLi) I have discovered in WordPress plugins and submitted to the Patchsatck monthly competition in February 2024. In this write-up, I will not only tell you how I can locate these bugs but also reveal some tricks for exploiting them in the face of strict restrictions deployed by WordPress to filter and sanitize dangerous characters. Now, the plugin vendors have patched both the two SQLi, and the Patchstack has published them with CVE-2024–32139 and CVE-2024–38755, respectively.

To locate SQLi, I first use the keywords ‘.$ and “.$ to grep against the WordPress plugin’s source code. I then take a quick review of each match by checking two conditions. One is that the value of the $ variable should be under users’ control. The other is the string concatenated by ‘.$ or “.$ should be used in some $wpdb-> functions. Following this way, I have discovered two points of SQLi.

1, The first SQLi is located at podlove-podcasting-plugin-for-wordpress/includes/api/episodes/related_episodes.php in version <=4.0.12.