15 Nov

Full Disclosure of PHP Object Injection Vulnerability in WordPress Plugin with 20,000+ Installs

Yesterday as part of our monitoring of WordPress plugins’ changelogs for indications that vulnerabilities have been fixed, so that we can add those vulnerabilities to our data set, the plugin Yet Another Stars Rating popped up. The changelog entry for the latest version of that is “FIXED: security fix”. Looking at the change made in that version that is accurate as code that prevents cross-site request forgery (CSRF) was fixed so that it would work properly. When we started to look at what might be the significance of that we noticed a more serious issue that still exists in the plugin, it is vulnerable to PHP object injection in at least one location (and probably others as well), which is a type of vulnerability that more advanced hackers have been known to exploit widely.

When using the plugin’s shortcode yasr_visitor_multiset the function yasr_visitor_multiset_callback() is run:

523
add_shortcode ('yasr_visitor_multiset', 'yasr_visitor_multiset_callback');

Part way in to that function, which is located in the file /lib/yasr-shortcode-functions.php, the value of the cookie “yasr_multi_visitor_cookie” will be strip of slashes and then unserialized, the latter of which permits PHP object injection to occur:

556
557
558
559
if (isset($_COOKIE[$yasr_cookiename])) {
 
	$cookie_data = stripslashes($_COOKIE[$yasr_cookiename]);
	$cookie_data = unserialize($cookie_data);

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “yasr_multi_visitor_cookie” to ‘O:20:”php_object_injection”:0:{}’ and then when visiting a page with the shortcode “yasr_visitor_multiset” the message “PHP object injection has occurred.” will be shown.


Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *