20 Nov

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line:

$cookie_test = json_decode(stripslashes($_COOKIE['apbct_cookies_test']), true);


$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Unserializing that cookie, which consists of user input, would permit PHP object injection to occur.

One route to that code executing starts with accessing the function apbct_form__ninjaForms__testSpam() through WordPress’ AJAX functionality, which can be done whether logged in or not:

add_action( 'wp_ajax_nopriv_ninja_forms_ajax_submit', 'apbct_form__ninjaForms__testSpam', 1);
add_action( 'wp_ajax_ninja_forms_ajax_submit',        'apbct_form__ninjaForms__testSpam', 1);

In that function the function apbct_base_call() gets called:

function apbct_form__ninjaForms__testSpam() {
    $base_call_result = apbct_base_call(

That in turn will call the function apbct_get_submit_time():

function apbct_base_call($params = array(), $reg_flag = false){
	$ct_request->submit_time     = apbct_get_submit_time();

And that in turn calls the function apbct_cookies_test():

function apbct_get_submit_time()
	return apbct_cookies_test() == 1 ? time() - (int)$_COOKIE['apbct_timestamp'] : null;

Which gets us back to the code originally discussed:

function apbct_cookies_test()
	global $apbct;
		$cookie_test = unserialize(stripslashes($_COOKIE['apbct_cookies_test']));

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “apbct_cookies_test” to “O:20:”php_object_injection”:0:{}” and then when visiting the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=ninja_forms_ajax_submit

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.