SQL Injection Attacks on WordPress: How Hackers Exploit Database Vulnerabilities

Table of Contents 6 sections

What is SQL Injection?

SQL Injection (SQLi) is a code injection technique where an attacker inserts malicious SQL statements into input fields, URL parameters, or cookies that are passed to the database without proper sanitization. It is ranked #3 in the OWASP Top 10 and can lead to complete database compromise.

In WordPress, SQL injection typically occurs in poorly coded plugins and themes that build database queries by directly concatenating user input.

How SQL Injection Works

Classic SQL Injection

Consider a vulnerable WordPress plugin that fetches products by ID:

// VULNERABLE CODE — never do this!
$id = $_GET['product_id'];
$query = "SELECT * FROM wp_products WHERE id = $id";
$results = $wpdb->get_results($query);

An attacker can supply:

?product_id=1 UNION SELECT user_login, user_pass, 3, 4 FROM wp_users--

This modifies the query to return WordPress admin credentials from the wp_users table.

Blind SQL Injection

When the application doesn't display query results directly, attackers use blind SQLi — asking true/false questions to extract data one character at a time:

?product_id=1 AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE id=1)='$'

This is slower but equally effective. Automated tools like sqlmap can extract entire databases this way.

Second-Order SQL Injection

The malicious input is stored in the database first and only executed when a different part of the application retrieves and uses it in a query later. This is particularly insidious because the initial input may pass all validation checks.

Common SQL Injection Targets in WordPress

• Custom plugin search forms — Plugins that implement their own search without using WordPress APIs
• AJAX handlers — Admin-ajax.php callbacks that don't use prepared statements
• REST API custom endpoints — Custom endpoints that query the database directly
• Sorting and filtering parameters — ORDER BY and WHERE clause injections
• Import/export functionality — CSV or XML processing that generates queries

Consequences of SQL Injection

• Data theft — Usernames, passwords, emails, personal information
• Authentication bypass — Logging in as any user including administrators
• Data manipulation — Modifying or deleting database content
• Remote code execution — Using INTO OUTFILE to write PHP shells to disk
• Complete server compromise — Escalating from database access to OS-level control

Preventing SQL Injection in WordPress

For Site Owners

1. Keep plugins and themes updated — Most SQLi patches are for known vulnerabilities in outdated code
2. Use reputable plugins — Choose plugins with active development, security audits, and large user bases
3. Install a WAF — Web Application Firewalls can detect and block SQL injection patterns in requests
4. Minimize plugin count — Every plugin is a potential attack surface. Remove unused ones
5. Use a security scanner — Regularly scan for known vulnerable plugin versions

For Developers

1. Always use $wpdb->prepare() — This is WordPress's built-in parameterized query method:

   $results = $wpdb->get_results(
     $wpdb->prepare(
       "SELECT * FROM wp_products WHERE id = %d",
       $id
     )
   );

2. Use WordPress APIs — WP_Query, get_posts(), and the REST API handle escaping automatically
3. Validate and cast input types — If expecting an integer, cast with (int) or absint()
4. Use whitelists for dynamic SQL — If column names or ORDER BY directions come from user input, validate against a whitelist
5. Apply least-privilege database access — WordPress DB users shouldn't have DROP, FILE, or GRANT privileges

Detecting SQL Injection Vulnerabilities

Our security scanner checks for plugins with known SQL injection vulnerabilities by cross-referencing your installed plugins against the WPScan vulnerability database. Regular scanning ensures you're notified when a vulnerability is discovered in any plugin you use.