Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line:

795

$cookie_test = json_decode(stripslashes($_COOKIE['apbct_cookies_test']), true);

to

795

$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Unserializing that cookie, which consists of user input, would permit PHP object injection to occur.

One route to that code executing starts with accessing the function apbct_form__ninjaForms__testSpam() through WordPress’ AJAX functionality, which can be done whether logged in or not:

139
140

add_action( 'wp_ajax_nopriv_ninja_forms_ajax_submit', 'apbct_form__ninjaForms__testSpam', 1);
add_action( 'wp_ajax_ninja_forms_ajax_submit',        'apbct_form__ninjaForms__testSpam', 1);

In that function the function apbct_base_call() gets called:

1831

function apbct_form__ninjaForms__testSpam() {

1861

    $base_call_result = apbct_base_call(

That in turn will call the function apbct_get_submit_time():

77

function apbct_base_call($params = array(), $reg_flag = false){

104

	$ct_request->submit_time     = apbct_get_submit_time();

And that in turn calls the function apbct_cookies_test():

836

function apbct_get_submit_time()

838

	return apbct_cookies_test() == 1 ? time() - (int)$_COOKIE['apbct_timestamp'] : null;

Which gets us back to the code originally discussed:

789
790
791
792
793
794
795

function apbct_cookies_test()
{
	global $apbct;
 
	if(isset($_COOKIE['apbct_cookies_test'])){
 
		$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “apbct_cookies_test” to “O:20:”php_object_injection”:0:{}” and then when visiting the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=ninja_forms_ajax_submit

Concerned About The Security of the Plugins You Use?

Plugin Security Scorecard Grade for Anti-Spam by CleanTalk

See issues causing the plugin to get less than A+ grade