01 Nov

PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)

In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.

The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows:

public function version_info($enforce_cache = false) {
	if (!$enforce_cache && false !== ($result = $this->get_transient('yarpp_version_info'))) return $result;
	$version = YARPP_VERSION;
	$remote = wp_remote_post("http://yarpp.org/checkversion.php?format=php&version={$version}");
	if (is_wp_error($remote) || wp_remote_retrieve_response_code($remote) != 200 || !isset($remote['body'])){
		$this->set_transient('yarpp_version_info', null, 60*60);
		return false;
	if ($result = @unserialize($remote['body'])) $this->set_transient('yarpp_version_info', $result, 60*60*24);

That takes the page returned for the address http://yarpp.org/checkversion.php?format=php&version={$version} and runs it through unserialize(), which permits PHP object injection. Interestingly the comment right above the code indicates (accurately) that the code was previously handled in a different way, which avoided this vulnerability and then was switched to the insecure method now used.

That function would run when visiting the plugin’s settings page.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, change the plugin’s code so that instead of requesting “http://yarpp.org/checkversion.php?format=php&version={$version}” it requests a page with ‘O:20:”php_object_injection”:0:{}’ as it contents and then when visiting the settings page for the plugin a message “PHP object injection has occurred.” will be shown.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *