31 Jul

PHP Object Injection Vulnerability in Product Reviews

We recently started proactively monitoring for evidence of some high risk vulnerabilities being in WordPress plugins when changes are made to the plugins. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them (unlike other types of vulnerabilities that security companies are known to overstate the impact of). Through that we came across a PHP object injection vulnerability in the plugin Product Reviews.

The plugin’s function EWD_URP_Update_Karama() is made available through WordPress’ AJAX functionality to those logged in to WordPress or those not logged in (in the file /Functions/Process_Ajax.php):

79
80
add_action('wp_ajax_urp_update_karma', 'EWD_URP_Update_Karama');
add_action('wp_ajax_nopriv_urp_update_karma', 'EWD_URP_Update_Karama');

That function takes the value of the cookie “EWD_URP_Karma_IDs” and unserializes it, which would allow PHP object injection:

62
63
64
65
66
67
68
69
70
71
72
73
74
function EWD_URP_Update_Karama() {
    $Path = ABSPATH . 'wp-load.php';
    include_once($Path);
 
    $Review_ID = $_POST['ReviewID'];
    $Direction = $_POST['Direction'];
 
    $Karma = get_post_meta( $Review_ID, 'EWD_URP_Review_Karma', true );
 
    if ($Direction == 'down') {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma - 1 );}
    else {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma + 1 );}
 
    $EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));

The unserialization of that cookie also occurs in the function EWD_URP_Display_Review() in the file /Shortcodes/SelectReview.php.

We notified the developer of the issue a week ago and haven’t heard back from them and no changes have been made to the plugin. We notified them of a less serious vulnerability in another of their plugins a month and half ago, which still hasn’t been resolved.

If you were using our service you would have already been warned about the vulnerability in the other plugin if you were impacted and would be notified shortly about this one as well as having us available to work with you to decide how best to protect against it.

Proof of Concept

Make the object to be injected the value of the cookie “EWD_URP_Karma_IDs” and then visit http://[path to WordPress]/wp-admin/admin-ajax.php?action=urp_update_karma (Make sure to replace “[path to WordPress]” with the location of WordPress).

You can use our PHP objection injection test plugin to make testing this proof of concept easier.

Timeline

  • June 24, 2017 – Developer notified.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *