One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WordPress Survey & Poll the value of a cookie, “wp_sap”, was passed through the unserialize() function in several locations, which could lead to PHP object injection. One of those locations was in the function enqueue_custom_scripts_and_styles() in the file /wordpress-survey-and-poll.php:

208
209
210
211
212
213
214
215
216
217
218
219
220
221
222

function enqueue_custom_scripts_and_styles() {
	global $wpdb;
	wp_enqueue_style( 'wp_sap_style', plugins_url( '/templates/assets/css/wp_sap.css', __FILE__ ) );
	wp_enqueue_style( 'jquery_ui_style', plugins_url( '/templates/assets/css/jquery-ui.css', __FILE__ ) );
	wp_enqueue_script( 'jquery' );
	wp_enqueue_script( 'jquery-ui-core', array( 'jquery' ) );
	wp_enqueue_script( 'jquery-effects-core', array( 'jquery' ) );
	wp_enqueue_script( 'jquery-effects-slide', array( 'jquery-effects-core' ) );
	wp_enqueue_script( 'jquery-visible',plugins_url( '/templates/assets/js/jquery.visible.min.js', __FILE__ ), array( 'jquery' ), '1.10.2' );
	wp_register_script('wp_sap_script', plugins_url( '/templates/assets/js/wp_sap.js' , __FILE__ ), array( 'jquery' ), '1.0.0.2', true );
		$survey_viewed = array();
		$sv = '';
		$sv_condition = '';
			if ( isset( $_COOKIE[ 'wp_sap' ] ) ) {
				$survey_viewed = unserialize( stripslashes( $_COOKIE[ 'wp_sap' ] ) );

That function gets called during init if the page being requested is not an admin page of WordPress and if the GET or POST input “sspcmd” exists:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

if ( is_admin() ) {
	require_once( sprintf( "%s/settings.php", dirname( __FILE__ ) ) );
	$wp_sap_settings = new wp_sap_settings();
	$plugin = plugin_basename( __FILE__ );
	add_filter( "plugin_action_links_$plugin", array( &$this, 'plugin_settings_link' ) );
}
else {
	$wp_sap_url = $_SERVER[ 'HTTP_HOST' ] . $_SERVER[ 'REQUEST_URI' ];
	$wp_sap_load = true;
	if ( ( strpos( $wp_sap_url, 'wp-login' ) ) !== false ) {
		$wp_sap_load = false;
	}
	if ( ( strpos( $wp_sap_url, 'wp-admin' ) ) !== false ) {
		$wp_sap_load = false;
	}
	if ( $wp_sap_load || isset( $_REQUEST[ 'sspcmd' ] ) ) {
		//integrate the public functions
		add_action( 'init', array( &$this, 'enqueue_custom_scripts_and_styles' ) );

That made the vulnerable code accessible to anyone.

We notified the developer of the issue yesterday and a couple of hours later they released version 1.5.6, which resolves the vulnerability by replacing usage of unserialize() with and json_decode() (along with related usage of serialize() with json_encode()).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “wp_sap” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?sspcmd=test

Timeline

• May 24, 2018 – Developer notified.
• Mary 24, 2018 – Developer responds.
• May 24, 2018 – Version 1.5.6 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?