05 Sep

PHP Object Injection Vulnerability in Booster for WooCommerce

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a PHP object injection vulnerability in the Email Verification module of the plugin Booster for WooCommerce.

When the Email Verification modules is enabled (it and all of the other modules are disabled by default) the function process_email_verification() in the file /includes/class-wcj-emails-verification.php is run during init:

32
add_action( 'init',                              array( $this, 'process_email_verification' ),                      PHP_INT_MAX );

That function will unserialize the value of the GET input “wcj_verify_email”, which can be abused to cause PHP object injection to occur:

111
112
113
function process_email_verification(){
	if ( isset( $_GET['wcj_verify_email'] ) ) {
		$data = unserialize( base64_decode( $_GET['wcj_verify_email'] ) );

The developer put in fix for the vulnerability in the development version of the plugin six days after we notified them of it, but a new version still has yet to be released a month later. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, visiting the following URL while logged in to WordPress will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?wcj_verify_email=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=

Timeline

  • August 4, 2017 – Developer notified.
  • August 10, 2017 – Developer responds.
  • September 11, 2017 – Version 3.1.0 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *