Login

Tag Archives: Authenticated PHP Object Injection

13 Nov 2018

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Portfolio X

Last week we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree and then the same vulnerability in two plugins released by a single developer that contained the OptionTree plugin in them, which we had noticed due the changelog for OptionTree popping up in our monitoring of changelog changes. That occurred again with another of the plugins by the same developer, Portfolio X. Though this time as the OptionTree plugin was being removed from the plugin, which fixes the vulnerability.

[Read more]

13 Nov 2018

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Security Plugin with 70,000+ Installs

Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.

That a security plugin can have a fairly serious vulnerability speaks to the one of the problems we see with the security industry’s ability to meet the needs of the public. On the one hand the average website, which shouldn’t need security products and services, are being sold ones that don’t work well at best. At the same time those websites that genuinely need advanced security tools are unable to get ones that work well and or they introduce security risks of their own. This plugin falls into the latter category both in that it is something that could be of useful for some websites, but also something that is introducing additional security risk. [Read more]

12 Nov 2018

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Infographic Maker iList

Last week we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree and then the same vulnerability in two plugins released by a single developer that contained the OptionTree plugin in them, which we had noticed due the changelog for OptionTree popping up in our monitoring of changelog changes. That occurred again with another of the plugins by the same developer, Infographic Maker iList. Though this time as the OptionTree plugin was being removed from the plugin, which fixes the vulnerability.

[Read more]

12 Nov 2018

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Slider Hero

Last week we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree and then the same vulnerability in two plugins released by a single developer that contained the OptionTree plugin in them, which we had noticed due the changelog for OptionTree popping up in our monitoring of changelog changes. That occurred again with another of the plugins by the same developer, Slider Hero. Though this time as the OptionTree plugin was being removed from the plugin, which fixes the vulnerability.

[Read more]

9 Nov 2018

Authenticated PHP Object Injection Vulnerability in Simple Link Directory

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

The second plugin we noticed it in is Simple Link Directory. That plugin includes OptionTree in the directory “option-tree” and when this plugin is active it loads OptionTree with this line in the plugin’s main file: [Read more]

9 Nov 2018

Authenticated PHP Object Injection Vulnerability in Simple Business Directory with Maps

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

The first plugin we noticed it in is Simple Business Directory with Maps. That plugin includes OptionTree in the directory “option-tree” and when this plugin is active it loads OptionTree with this line in the plugin’s main file: [Read more]

6 Nov 2018

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin with 100,000+ Installs

The WordPress plugin plugin OptionTree recently came on to our radar through our monitoring of indications that changes made to plugins have fixed security issues, as it was included in another plugin and this plugin’s last changelog indicated a security issue had been fixed in the latest version (the relevant vulnerability was already had in our data set). Including this plugin in another plugin seems to be of some concern considering the plugin hasn’t been updated in two and half years. We did a little checking over the plugin and found that it has an authenticated PHP object injection vulnerability that is not only exploitable when using the plugin directly but also with the other plugin it shipped with.

The plugin makes the function add_list_item() available to anyone logged in to WordPress: [Read more]

25 Oct 2018

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin With 50,000+ Active Installs

One of the things we have found while looking at the results of our automated tool for identifying possible security issues in WordPress plugins, the Plugin Security Checker, is that minor possible vulnerabilities that it can identify can be good indications that there are broader issues with security in a plugin. That is the case with the plugin Give, which has 50,000+ active installations according to wordpress.org.

While looking over the 1,000 most popular WordPress plugins using some checks from the Plugin Security Checker we were alerted to a possible issue with this plugin. Unrelated usage of serialization in the code we were looking at then lead us to take a look if there might be any PHP object injection vulnerabilities in the plugin, which unlike the issue originally identified are fairly likely to be exploited. That quickly led to us identifying one that can be exploited by anyone logged in to WordPress or through cross-site request forgery (CSRF). [Read more]

23 Oct 2018

WordPress Continues To Prioritize Acting Inappropriately Over Making Sure Plugins Do Not Contain Exploitable Vulnerabilities

What makes the terrible moderation of the WordPress Support Forum and unwillingness of the moderators to stop acting inappropriately or resign in the face of how it harms security is that it isn’t like some of them couldn’t be doing something useful instead of their inappropriate behavior. Two of the moderators we have seen acting inappropriately (one of them being in control of the moderation as well) are also part of the six member team that is in charge of the Plugin Directory. That team is failing to do what it claims to be doing, as we keep finding vulnerabilities that should have been caught by the manual security reviews they claim to do of new plugins. It seems entirely possible that these reviews are not even happening, but if they are, we have repeatedly offered to help them avoid this type of situation, to no effect.

Once again in the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited identified a possible PHP object injection vulnerability in a new plugin. That is the type of vulnerability that more advanced hackers will exploit. This time it was in the plugin Ticketrilla: Client. [Read more]