20 Nov

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line:

795
$cookie_test = json_decode(stripslashes($_COOKIE['apbct_cookies_test']), true);

to

795
$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Unserializing that cookie, which consists of user input, would permit PHP object injection to occur.

One route to that code executing starts with accessing the function apbct_form__ninjaForms__testSpam() through WordPress’ AJAX functionality, which can be done whether logged in or not:

139
140
add_action( 'wp_ajax_nopriv_ninja_forms_ajax_submit', 'apbct_form__ninjaForms__testSpam', 1);
add_action( 'wp_ajax_ninja_forms_ajax_submit',        'apbct_form__ninjaForms__testSpam', 1);

In that function the function apbct_base_call() gets called:

1831
function apbct_form__ninjaForms__testSpam() {
1861
    $base_call_result = apbct_base_call(

That in turn will call the function apbct_get_submit_time():

77
function apbct_base_call($params = array(), $reg_flag = false){
104
	$ct_request->submit_time     = apbct_get_submit_time();

And that in turn calls the function apbct_cookies_test():

836
function apbct_get_submit_time()
838
	return apbct_cookies_test() == 1 ? time() - (int)$_COOKIE['apbct_timestamp'] : null;

Which gets us back to the code originally discussed:

789
790
791
792
793
794
795
function apbct_cookies_test()
{
	global $apbct;
 
	if(isset($_COOKIE['apbct_cookies_test'])){
 
		$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “apbct_cookies_test” to “O:20:”php_object_injection”:0:{}” and then when visiting the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=ninja_forms_ajax_submit

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

2 thoughts on “We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

    • The best way for everyone to check if vulnerabilities in WordPress plugins have been fixed is to use our service as we verify if they have been truly fixed (we often find that plugin developers believe they have fixed vulnerabilities when they haven’t).

Leave a Reply

Your email address will not be published. Required fields are marked *