fix: SQL injection in Multisite WordPress when being already authenti…

…cated as network admin (#196) Signed-off-by: Christopher Klein <[email protected]>
NeosIT · Sep 13, 2024 · 68d8375 · 68d8375
1 parent 15184d7
commit 68d8375
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/readme.txt b/readme.txt
@@ -127,6 +127,7 @@ It is __not__ possible to activate *NADI* for a site inside a network.
 For detailed information you can visit the official [GitHub repository of Next Active Directory Integration](https://github.com/NeosIT/active-directory-integration2)
 
 = UNRELEASED =
+* FIXED: SQL injection in Multisite WordPress when being already authenticated as network admin (#196)
 
 = 3.1.5 =
 * CHANGED: WordPress 6.6 compatibility has been checked

diff --git a/src/shared/WordPress/Multisite/Ui/Table/ProfileAssignment.php b/src/shared/WordPress/Multisite/Ui/Table/ProfileAssignment.php
@@ -160,10 +160,13 @@ public function prepare_items()
 		if (!empty($id)) {
 			$ids = explode(',', $id);
 			$cleanIds = array_map(function($id) {
-				return wp_unslash(trim($id));
+				return wp_unslash((int)trim($id));
 			}, $ids);
 
-			$query .= $wpdb->prepare(" AND {$wpdb->blogs}.blog_id IN (" . implode(', ', $cleanIds) . ")", null);
+			// @see #196: Properly quote arguments
+			$whereInArgs = implode(', ', array_fill(0, sizeof($cleanIds), '%s'));
+
+			$query .= $wpdb->prepare(" AND {$wpdb->blogs}.blog_id IN ({$whereInArgs})", $cleanIds);
 		}
 
 		$order_by = isset($_REQUEST['orderby']) ? $_REQUEST['orderby'] : '';