23 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in DukaPress

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin DukaPress, the value of a cookie was passed through the unserialize() function, which could lead to PHP object injection. That occurred in the function get_cart_cookie() (in the file /classes/dukapress-cart.php):

static function get_cart_cookie() {
	$cookie_id = self::$cookie_id_string . COOKIEHASH;
	if ( isset( $_COOKIE[ $cookie_id ] ) ) {
		$cart = unserialize( stripslashes( $_COOKIE[ $cookie_id ] ) );

The value of COOKIEHASH in that is set by WordPress with the following code:

define( 'COOKIEHASH', md5( $siteurl ) );

That function is accessible through WordPress’ AJAX functionality whether someone is logged in to WordPress or not:

add_action('wp_ajax_nopriv_dpsc_update_cart', array(__CLASS__, 'update_cart'));
add_action('wp_ajax_dpsc_update_cart', array(__CLASS__, 'update_cart'));

We contacted the developer about the vulnerability yesterday and within hours they had released version 3.2 that resolved it by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

$cart = json_decode(  $_COOKIE[ $cookie_id ] , true );

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “dpsc_cart_” plus the md5 hashed version of the website’s site URL to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown if you are not logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=wsfl_add_product_to_cart


  • March 23, 2018 – Developer notified.
  • March 23, 2018 – Version 3.2 released, which fixes vulnerability.
  • March 23, 2018 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.