31 Jul

PHP Object Injection Vulnerability in Product Reviews

We recently started proactively monitoring for evidence of some high risk vulnerabilities being in WordPress plugins when changes are made to the plugins. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them (unlike other types of vulnerabilities that security companies are known to overstate the impact of). Through that we came across a PHP object injection vulnerability in the plugin Product Reviews.

The plugin’s function EWD_URP_Update_Karama() is made available through WordPress’ AJAX functionality to those logged in to WordPress or those not logged in (in the file /Functions/Process_Ajax.php):

79
80
add_action('wp_ajax_urp_update_karma', 'EWD_URP_Update_Karama');
add_action('wp_ajax_nopriv_urp_update_karma', 'EWD_URP_Update_Karama');

That function takes the value of the cookie “EWD_URP_Karma_IDs” and unserializes it, which would allow PHP object injection:

62
63
64
65
66
67
68
69
70
71
72
73
74
function EWD_URP_Update_Karama() {
    $Path = ABSPATH . 'wp-load.php';
    include_once($Path);
 
    $Review_ID = $_POST['ReviewID'];
    $Direction = $_POST['Direction'];
 
    $Karma = get_post_meta( $Review_ID, 'EWD_URP_Review_Karma', true );
 
    if ($Direction == 'down') {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma - 1 );}
    else {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma + 1 );}
 
    $EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));

The unserialization of that cookie also occurs in the function EWD_URP_Display_Review() in the file /Shortcodes/SelectReview.php.

We notified the developer of the issue a week ago and haven’t heard back from them and no changes have been made to the plugin. We notified them of a less serious vulnerability in another of their plugins a month and half ago, which still hasn’t been resolved.

If you were using our service you would have already been warned about the vulnerability in the other plugin if you were impacted and would be notified shortly about this one as well as having us available to work with you to decide how best to protect against it.

Proof of Concept

Make the object to be injected the value of the cookie “EWD_URP_Karma_IDs” and then visit http://[path to WordPress]/wp-admin/admin-ajax.php?action=urp_update_karma (Make sure to replace “[path to WordPress]” with the location of WordPress).

You can use our PHP objection injection test plugin to make testing this proof of concept easier.

Timeline

  • July 24, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *