01 Nov

PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)

In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.

The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows:

public function version_info($enforce_cache = false) {
	if (!$enforce_cache && false !== ($result = $this->get_transient('yarpp_version_info'))) return $result;
	$version = YARPP_VERSION;
	$remote = wp_remote_post("http://yarpp.org/checkversion.php?format=php&version={$version}");
	if (is_wp_error($remote) || wp_remote_retrieve_response_code($remote) != 200 || !isset($remote['body'])){
		$this->set_transient('yarpp_version_info', null, 60*60);
		return false;
	if ($result = @unserialize($remote['body'])) $this->set_transient('yarpp_version_info', $result, 60*60*24);

That takes the page returned for the address http://yarpp.org/checkversion.php?format=php&version={$version} and runs it through unserialize(), which permits PHP object injection. Interestingly the comment right above the code indicates (accurately) that the code was previously handled in a different way, which avoided this vulnerability and then was switched to the insecure method now used.

That function would run when visiting the plugin’s settings page.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, change the plugin’s code so that instead of requesting “http://yarpp.org/checkversion.php?format=php&version={$version}” it requests a page with ‘O:20:”php_object_injection”:0:{}’ as it contents and then when visiting the settings page for the plugin a message “PHP object injection has occurred.” will be shown.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.