Several days ago we had a request on this website from the IP address 66.148.121.112 (which has a history reported abuse) for a file that would be located at /wp-content/plugins/taxonomy-terms-order/css/to.css. That is file from the plugin Category Order and Taxonomy Terms Order and our guess would be that the request was from a hacker probing for usage of the plugin in preparation to try to exploit a vulnerability in it. In looking over the plugin we found an authenticated PHP object injection vulnerability that might be what be what a hacker would be interested in exploiting.

The plugin makes the function TOsaveAjaxOrder() available through WordPress’ AJAX functionally to anyone logged in:

156

add_action( 'wp_ajax_update-taxonomy-order', 'TOsaveAjaxOrder' );

That function (which is located in the file /taxonomy-terms-order.php) unserializes the value of the POST input “order”, which can lead to PHP object injection:

157
158
159
160
161
162

function TOsaveAjaxOrder()
	{
		global $wpdb; 
		$taxonomy = stripslashes($_POST['taxonomy']);
		$data = stripslashes($_POST['order']);
		$unserialised_data = unserialize($data);

The requirement that an attacker have access to a WordPress account would limit the likelihood of exploitation of a vulnerability.  But past experience indicates that hackers will target authenticated versions of vulnerabilities types that they otherwise would be likely to exploit down to with as at least as little as 100,000+ users, according to wordpress.org, and this plugin has 300,000+, so it seems reasonable to believe this could what a hacker is targeting.  If you see some other issues that hackers might be targeting we would love to hear about it.

After we notified the developer of the vulnerability they released version 1.5.3, which fixes the vulnerability replacing the usage of unserialize() with json_decode() (and related serialization with JSON encoding elsewhere):

157
158
159
160
161

function TOsaveAjaxOrder()
	{
		global $wpdb; 
		$data               = stripslashes($_POST['order']);
		$unserialised_data  = json_decode($data, TRUE);

Wider Warning

Due to the fact that the vulnerability might be being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using a vulnerable version of the plugin.

We have also added a new check to our Plugin Security Checker (which is now accessible through a WordPress plugin of its own), so if you check a plugin that contains a possible PHP object injection vulnerability caused by similar code, it will now be flagged.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="update-taxonomy-order" />
<input type="hidden" name="order" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

• February 20, 2018 – Developer notified.
• February 21, 2018 – Developer responds.
• February 22, 2018 – Version 1.5.3 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?