08 Sep

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in BackupBuddy

Back in June we introduced a new feature to the service where we are proactively monitor changes made to plugins to try to catch serious vulnerabilities in plugins. To do that we first identify possible vulnerable code running a series of regular expressions over the changes being made to plugins in the Plugin Directory and then we manually check over any results that we haven’t previously reviewed. We recently have been seeing if doing that with the plugins installed in websites that we are doing hack cleanups of would be useful. Through that we found a cross-site request forgery (CSRF)/PHP object injection vulnerability in BackupBuddy, which is exploitable in multisite based WordPress installs.

The plugin features a beta multisite feature, which currently can be turned on by adding a line to the WordPress configuration file:


With that enabled the admin page Multisite Import Site is accessible in the Network Admin.

When that page is visited the file /controllers/pages/multisite_import.php is loaded, which will create a new instance class pluginbuddy_ms_import. In that class, also defined in that file, the __construct will run the following code:

// Set advanced options if they have been passed along.
if ( isset( $_POST['global_options'] ) && ( $_POST['global_options'] != '' ) ) {
	$this->advanced_options = unserialize( base64_decode( $_POST['global_options'] ) );

That code will unserialize the value of the POST input “global_options” if exists, which permits PHP object injection. There is no nonce check that occurs before that happens, so the code is susceptible to cross-site request forgery.

The makers of this plugin are also the makers of the popular WordPress security plugin iThemes Security, so you might expect that they would make easy to report vulnerabilities in their software, but we were unable to find any way to do that. That may not be all that surprising if know the reality that despite being a popular plugin, the plugin doesn’t protect against one of the few threats it identifies as leading to websites being hacked and has done some questionable stuff. Because there wasn’t any contact available we sent a reply to them on Twitter a week ago asking how to provide the details, but we haven’t got any response.

This vulnerability won’t be included in our service’s data as the data is not created with multisite’s security profile in mind.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” to be shown when logged in to the Network Admin.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/network/admin.php?page=pb_backupbuddy_multisite_import" method="POST" >
<input type="hidden" name="global_options" value="TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

To make sure a plugin you are using or considering using has been properly secured you get a complete security review of it from us.

Leave a Reply

Your email address will not be published. Required fields are marked *