08 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WooCommerce Save For Later Cart Enhancement

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WooCommerce Save For Later Cart Enhancement the value of cookies are passed through the unserialize() function, which could lead to PHP object injection. One of the instances of that occurs is in the function wsfl_add_product_to_cart() (in the file /public/class-woo-save-for-later-public.php):

256
257
258
259
260
261
262
263
264
265
266
public function wsfl_add_product_to_cart() {
 
	global $product,$woocommerce,$post;
 
	$getCurrentUserID = get_current_user_id();
	$encodeUserID = md5($getCurrentUserID);
	$cookieName = WSFL_PLUGIN_COOKIE_NAME.$encodeUserID;
 
	$productID = ( $_POST['productID'] )? $_POST['productID'] : '';
 
	$cookieProductArr = maybe_unserialize(stripslashes( $_COOKIE[$cookieName]) );

That function is accessible through WordPress’ AJAX functionality whether someone is logged in to WordPress or not:

199
200
$this->loader->add_action( 'wp_ajax_wsfl_add_product_to_cart', $plugin_public, 'wsfl_add_product_to_cart' ); 
$this->loader->add_action( 'wp_ajax_nopriv_wsfl_add_product_to_cart', $plugin_public, 'wsfl_add_product_to_cart' );

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “wsfl_save_product_cfcd208495d565ef66e7dff9f98764da” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown if you are not logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=wsfl_add_product_to_cart

Timeline

  • February 27, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *