CVE-2023-54333: Unauthenticated SQL Injection in Social-Share-Buttons Plugin Leading to Full WordPress Database Compromise

SQL Injection Vulnerability — Full Database Compromise Risk

Vulnerability Overview

CVE ID: CVE-2023-54333
Affected Product: Social-Share-Buttons (Supsystic) WordPress Plugin
Affected Versions: Up to and including 2.2.3
Vulnerability Type: SQL Injection
Attack Vector: Remote, unauthenticated
CVSS v3.1 Score: 8.2 (High)
Severity: High
Authentication Required: No
User Interaction: Not required
Exploit Maturity: Public proof-of-concept available (educational / research purposes)

Executive Summary

This vulnerability exists because the Social-Share-Buttons plugin trusts user input too much. A specific request parameter (project_id) is taken directly from an HTTP request and used inside a database query without being safely handled.

An attacker can abuse this by injecting their own SQL commands into the request. If successful, the database responds with information the attacker should never see — such as usernames, password hashes, email addresses, site configuration values, and other sensitive records.

In worst-case scenarios, this vulnerability can be escalated beyond data theft into complete site takeover, depending on database permissions and server configuration.

Root Cause

The plugin accepts a parameter named project_id from HTTP POST requests.
This value is concatenated directly into an SQL query.
There is no proper input validation, no prepared statements, and no strict type enforcement.
Because of this, special SQL characters (', --, UNION, etc.) are interpreted by the database instead of being treated as plain text.

This is a textbook example of improper input sanitization leading to SQL injection.

How the Vulnerability Can Be Exploited

Attack Flow (High-Level)

The attacker identifies a WordPress site using a vulnerable version of the plugin.
They send a crafted HTTP POST request to the plugin’s exposed endpoint.
The project_id parameter contains SQL syntax instead of a normal numeric value.
The database executes the injected SQL.
The response contains sensitive data or confirms blind injection through timing behavior.

No login, session cookie, or admin access is required.

Example Exploitation Techniques (Educational Use Only)

⚠️ The following examples are strictly for defensive testing and education.
Never test systems you do not own or have permission to test.

1. Boolean-Based Injection

project_id=1' OR '1'='1

If the response changes compared to a normal request, the input is injectable.

2. UNION-Based Data Extraction

project_id=1' UNION SELECT user_login, user_pass FROM wp_users-- -

This can expose administrator usernames and password hashes.

3. Time-Based Blind SQL Injection

project_id=1' AND IF(1=1, SLEEP(5), 0)-- -

If the server response is delayed by ~5 seconds, blind SQL injection is confirmed.

4. Database Enumeration

project_id=1' UNION SELECT table_name FROM information_schema.tables-- -

Used to discover all tables in the WordPress database.

Potential Impact

If exploited, an attacker may be able to:

Read the entire WordPress database
Steal administrator credentials (password hashes)
Expose email addresses and personal data
Modify database content
Create or elevate WordPress admin users
Plant persistent backdoors (depending on DB privileges)
Fully compromise the website and its visitors

This vulnerability directly threatens confidentiality and integrity.

MITRE Mapping

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

ATT&CK Techniques

T1190: Exploit Public-Facing Application
T1213: Data from Information Repositories

How to Detect Exploitation Attempts

Recommended Log Sources

Web Server Access Logs (Apache / Nginx)
Web Application Firewall (WAF) Logs
WordPress Debug Logs
Database Logs (MySQL general log / slow query log)

Indicators to Look For

POST requests containing project_id= with:
- ' OR
- UNION SELECT
- INFORMATION_SCHEMA
- SLEEP(
- SQL comments (--, #)
Repeated requests with slightly modified payloads
Unusual delays in server responses
Database queries accessing system tables unexpectedly
High volume of failed or malformed POST requests

Example Detection Queries

Web Log Hunting

Search for requests containing:

project_id='
project_id=1 UNION
project_id=1 AND SLEEP

Database Monitoring

Alert on:

Queries referencing information_schema
Queries executed by the web user containing UNION
Sudden spikes in SELECT queries on wp_users

Example IDS / WAF Detection Rules

SQL Injection Pattern Detection

Block requests where:
- Parameter name = project_id
- Value contains SQL keywords or comment characters

Common patterns to flag:

UNION SELECT
INFORMATION_SCHEMA
SLEEP(
' OR '
-- -

Indicators of Compromise (IoCs)

Unexpected admin accounts
Password resets without user action
Unknown PHP files in:
- wp-content/uploads/
- wp-content/plugins/
Modified database values
Outbound traffic from the server after suspicious requests

Remediation and Mitigation

Immediate Actions

Update the plugin immediately
If patching is not possible, disable and remove the plugin
Apply WAF rules to block SQL injection patterns
Review logs for signs of exploitation
Rotate database credentials if compromise is suspected

Long-Term Hardening

Enforce least-privilege database permissions
Disable FILE privileges in MySQL
Enable query logging and monitoring
Regularly scan WordPress plugins for known vulnerabilities

Official Patch / Upgrade Link

🔗 Official WordPress Plugin Page (Update Required):
https://wordpress.org/plugins/social-share-buttons-by-supsystic/

Update the plugin using the official WordPress update mechanism to a fixed version released by the vendor. Always test updates in staging before production deployment.

Final Takeaway

This vulnerability is well-understood, easily exploitable, and actively abused when left unpatched.
Public exploit material exists, which increases real-world risk.
Any site still running version 2.2.3 or older should be treated as high priority for remediation.