On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.
The first plugin we noticed it in is Simple Business Directory with Maps. That plugin includes OptionTree in the directory “option-tree” and when this plugin is active it loads OptionTree with this line in the plugin’s main file:
require_once( 'option-tree/ot-loader.php' );
From there you get to an authenticated PHP object injection that is normally exploitable by users with the Contributor role and above, due to the code explained in the previous post.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[nonce]” with a valid nonce. The valid nonce can be found in the source code of the page to create or edit a post on the line that starts “var option_tree”.
http://[path to WordPress]/wp-admin/admin-ajax.php?action=add_list_item&nonce=[nonce]&settings=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=