One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated PHP object injection vulnerability we found in the plugin FireDrum Email Marketing. This vulnerability could have allowed an attacker that had access to a WordPress account with access to the admin area to exploit a PHP object injection vulnerability. It also could have allowed an attacker that could get a user logged in with an account that has access to the admin area to visit a URL the attacker controls, to exploit the vulnerability as well.

Since the check used to spot this is also included in our Plugin Security Checker (which  is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

The vulnerability occurred in the function on_admin_notices(). That function, which is located in the file /plugin.class.php, passed the base64 decoded value of the GET input “firedrum-m” through the unserialize() function, which could lead to PHP object injection:

183
184
185

public function on_admin_notices() {
	if ( isset( $_GET[self::$branding . '-m'] ) ) {
		$notices = unserialize( base64_decode( $_GET[self::$branding . '-m'] ) );

That function is run when admin notices are displayed, which occurs when visiting admin pages:

86
87
88

add_action( 'admin_notices', array(
	$this,
	'on_admin_notices'

On the same day that we notified the developer of the issue, they released version 1.48, which resolves the vulnerability by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

185

$notices = json_decode( $_GET[self::$branding . '-m'], true );

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to an account that has access to the admin area of WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/index.php?firedrum-m=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30%3D

Timeline

• June 22, 2018 –  Developer notified.
• June 22, 2018 – Version 1.48 released, which fixes vulnerability.
• June 22, 2018 – Developer responds.

Concerned About The Security of the Plugins You Use?