09 Jul

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Advanced Advertising System

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin Advanced Advertising System the value of a cookie, “view_aas_campaigns”, is passed through the unserialize() function in a couple of locations, which could lead to PHP object injection. One of those locations is in the function is_available() in the file /shortcode.php:

198
$person = unserialize(stripslashes($_COOKIE['view_aas_campaigns'])); // Check a person from his cookie.

That code will run on pages where the plugin’s zone shortcode is used as long as it has a campaign attached to it.

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “view_aas_campaigns” to “O:20:”php_object_injection”:0:{}” and then when you visit a page using the plugin’s zone shortcode (with a campaign attached to the zone) the message “PHP object injection has occurred.” will be shown.

Timeline

  • July 2, 2018 – Developer notified.
09 Jul

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Giveaway Boost

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin Giveaway Boost the value of a cookie is passed through the unserialize() function, which could lead to PHP object injection. That occurs in the function gb_getcookie(), which is located in the file /includes/cookies.functions.php:

11
12
function gb_getcookie($name, $default = false) {
	$value = isset($_COOKIE[$name]) ? maybe_unserialize(stripslashes($_COOKIE[$name])) : $default;

That code will run on the plugin’s promotion pages.

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “gb_tracking_” plus the post ID number to “O:20:”php_object_injection”:0:{}” when on one of the plugin’s promotion pages then the message “PHP object injection has occurred.” will be shown. The post ID can be found to the right of the text “gb_entry_” in the page’s source code.

Timeline

  • July 2, 2018 – Developer notified.
25 May

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WordPress Survey & Poll

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WordPress Survey & Poll the value of a cookie, “wp_sap”, was passed through the unserialize() function in several locations, which could lead to PHP object injection. One of those locations was in the function enqueue_custom_scripts_and_styles() in the file /wordpress-survey-and-poll.php:

208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
function enqueue_custom_scripts_and_styles() {
	global $wpdb;
	wp_enqueue_style( 'wp_sap_style', plugins_url( '/templates/assets/css/wp_sap.css', __FILE__ ) );
	wp_enqueue_style( 'jquery_ui_style', plugins_url( '/templates/assets/css/jquery-ui.css', __FILE__ ) );
	wp_enqueue_script( 'jquery' );
	wp_enqueue_script( 'jquery-ui-core', array( 'jquery' ) );
	wp_enqueue_script( 'jquery-effects-core', array( 'jquery' ) );
	wp_enqueue_script( 'jquery-effects-slide', array( 'jquery-effects-core' ) );
	wp_enqueue_script( 'jquery-visible',plugins_url( '/templates/assets/js/jquery.visible.min.js', __FILE__ ), array( 'jquery' ), '1.10.2' );
	wp_register_script('wp_sap_script', plugins_url( '/templates/assets/js/wp_sap.js' , __FILE__ ), array( 'jquery' ), '1.0.0.2', true );
		$survey_viewed = array();
		$sv = '';
		$sv_condition = '';
			if ( isset( $_COOKIE[ 'wp_sap' ] ) ) {
				$survey_viewed = unserialize( stripslashes( $_COOKIE[ 'wp_sap' ] ) );

That function gets called during init if the page being requested is not an admin page of WordPress and if the GET or POST input “sspcmd” exists:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
if ( is_admin() ) {
	require_once( sprintf( "%s/settings.php", dirname( __FILE__ ) ) );
	$wp_sap_settings = new wp_sap_settings();
	$plugin = plugin_basename( __FILE__ );
	add_filter( "plugin_action_links_$plugin", array( &$this, 'plugin_settings_link' ) );
}
else {
	$wp_sap_url = $_SERVER[ 'HTTP_HOST' ] . $_SERVER[ 'REQUEST_URI' ];
	$wp_sap_load = true;
	if ( ( strpos( $wp_sap_url, 'wp-login' ) ) !== false ) {
		$wp_sap_load = false;
	}
	if ( ( strpos( $wp_sap_url, 'wp-admin' ) ) !== false ) {
		$wp_sap_load = false;
	}
	if ( $wp_sap_load || isset( $_REQUEST[ 'sspcmd' ] ) ) {
		//integrate the public functions
		add_action( 'init', array( &$this, 'enqueue_custom_scripts_and_styles' ) );

That made the vulnerable code accessible to anyone.

We notified the developer of the issue yesterday and a couple of hours later they released version 1.5.6, which resolves the vulnerability by replacing usage of unserialize() with and json_decode() (along with related usage of serialize() with json_encode()).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “wp_sap” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?sspcmd=test

Timeline

  • May 24, 2018 – Developer notified.
  • Mary 24, 2018 – Developer responds.
  • May 24, 2018 – Version 1.5.6 released, which fixes vulnerability.
16 Apr

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, Disc Golf Manager, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that.

The vulnerability occurs in function flashProcess() in the file /main.php where the value of the cookie “disc_golf_flash” is passed through the unserialize() function, which can lead to PHP object injection:

4043
4044
4045
function flashProcess() {
	if(isset($_COOKIE[$this->key . '_flash'])) {
		$temp = unserialize(base64_decode($_COOKIE[$this->key . '_flash']));

That function will run anytime a WordPress page is being accessed:

3811
add_action('init', array($this, 'flashProcess'));

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “disc_golf_flash” to “TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=” and then when you visit a page on the webiste the message “PHP object injection has occurred.” will be shown.

Timeline

  • April 9, 2018 – Developer notified.
23 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in DukaPress

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin DukaPress, the value of a cookie was passed through the unserialize() function, which could lead to PHP object injection. That occurred in the function get_cart_cookie() (in the file /classes/dukapress-cart.php):

33
34
35
36
37
38
static function get_cart_cookie() {
 
	$cookie_id = self::$cookie_id_string . COOKIEHASH;
 
	if ( isset( $_COOKIE[ $cookie_id ] ) ) {
		$cart = unserialize( stripslashes( $_COOKIE[ $cookie_id ] ) );

The value of COOKIEHASH in that is set by WordPress with the following code:

define( 'COOKIEHASH', md5( $siteurl ) );

That function is accessible through WordPress’ AJAX functionality whether someone is logged in to WordPress or not:

12
13
add_action('wp_ajax_nopriv_dpsc_update_cart', array(__CLASS__, 'update_cart'));
add_action('wp_ajax_dpsc_update_cart', array(__CLASS__, 'update_cart'));

We contacted the developer about the vulnerability yesterday and within hours they had released version 3.2 that resolved it by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

38
$cart = json_decode(  $_COOKIE[ $cookie_id ] , true );

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “dpsc_cart_” plus the md5 hashed version of the website’s site URL to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown if you are not logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=wsfl_add_product_to_cart

Timeline

  • March 23, 2018 – Developer notified.
  • March 23, 2018 – Version 3.2 released, which fixes vulnerability.
  • March 23, 2018 – Developer responds.
14 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, HappyForms, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that.

The vulnerability occurred in function read() in the file /inc/classes/class-message-notices.php where the value of the cookie “happyforms-message-notices” was passed through the unserialize() function, which can lead to PHP object injection:

108
109
110
111
112
public function read() {
	$this->messages = array();
 
	if ( isset( $_COOKIE[ $this->cookie_name ] ) && ! empty( $_COOKIE[ $this->cookie_name ] ) ) {
		$this->messages = unserialize( stripslashes( $_COOKIE[ $this->cookie_name ] ) );

That function will run anytime a non-admin page is being accessed:

67
68
69
if ( ! is_admin() ) {
	add_action( 'send_headers', array( $this, 'read' ) );
}

After we notified the developer of the issue, they released version 1.1, which resolves the vulnerability by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

112
$this->messages = json_decode( stripslashes( $_COOKIE[ $this->cookie_name ] ), true );

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “happyforms-message-notices” to “O:20:”php_object_injection”:0:{}” and then when you visit a frontend page the message “PHP object injection has occurred.” will be shown.

Timeline

  • February 13, 2018 – Developer notified.
  • February 14, 2018 – Developer responds.
  • March 13, 2018 – Version 1.1 released, which fixes vulnerability.
08 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WooCommerce Save For Later Cart Enhancement

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WooCommerce Save For Later Cart Enhancement the value of cookies are passed through the unserialize() function, which could lead to PHP object injection. One of the instances of that occurs is in the function wsfl_add_product_to_cart() (in the file /public/class-woo-save-for-later-public.php):

256
257
258
259
260
261
262
263
264
265
266
public function wsfl_add_product_to_cart() {
 
	global $product,$woocommerce,$post;
 
	$getCurrentUserID = get_current_user_id();
	$encodeUserID = md5($getCurrentUserID);
	$cookieName = WSFL_PLUGIN_COOKIE_NAME.$encodeUserID;
 
	$productID = ( $_POST['productID'] )? $_POST['productID'] : '';
 
	$cookieProductArr = maybe_unserialize(stripslashes( $_COOKIE[$cookieName]) );

That function is accessible through WordPress’ AJAX functionality whether someone is logged in to WordPress or not:

199
200
$this->loader->add_action( 'wp_ajax_wsfl_add_product_to_cart', $plugin_public, 'wsfl_add_product_to_cart' ); 
$this->loader->add_action( 'wp_ajax_nopriv_wsfl_add_product_to_cart', $plugin_public, 'wsfl_add_product_to_cart' );

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “wsfl_save_product_cfcd208495d565ef66e7dff9f98764da” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown if you are not logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=wsfl_add_product_to_cart

Timeline

  • February 27, 2017 – Developer notified.
05 Mar

Is This PHP Object Injection Vulnerability Why a Hacker Would Be Interested in the WordPress Plugin Newletters?

On March 1 we had a request on this website for a file that would be located at wp-content/plugins/newsletters-lite/readme.txt. That is file from the plugin Newsletters and our guess would be that the request was from a hacker probing for usage of the plugin in preparation to try to exploit a vulnerability in it. In looking over the plugin we found a PHP object injection vulnerability that might be what be what a hacker would be interested in exploiting, since that is a type of vulnerability they frequently target.

The plugin’s function init() in the file /wp-mailinglist.php runs during, not surprisingly, init:

64
$this -> add_action('init', 'init', 11, 1);

So it will run whenever WordPress loads.

In that function the variable $method is assigned the value of the GET input “wpmlmethod”:

710
$method = (empty($_GET[$this -> pre . 'method'])) ? $wpmlmethod : esc_html($_GET[$this -> pre . 'method']);

That is then used in a switch statement:

1378
switch ($method) {

If $method is set to “paypal” the value of the POST input “custom” urldecoded and then unserialized, which can lead to PHP object injection:

1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
case 'paypal'			:
	global $Html, $SubscribersList;
	$req = 'cmd=_notify-validate';
 
	foreach ($_POST as $pkey => $pval) {
		$pval = urlencode(stripslashes($pval));
		$req .= "&" . $pkey . "=" . $pval . "";
	}
 
	$paypalsandbox = $this -> get_option('paypalsandbox');
 
	$custom = maybe_unserialize(urldecode($_POST['custom']));

We notified the developer of the situation within hours of us receiving the requests on the 1st and explained we would need to disclose the vulnerability shortly, but we could hold back disclosure for a short time if they provided us a timeline on it being fixed. The next day they responded without a timeline, but said they were working on fix. It has now been three days and that has yet to been released.

Considering that this is a monetized plugin the developer should be able to promptly fix a vulnerability that may already be being exploited. Three days is more than enough time to do that, so we are going ahead with the disclosure as we need to warn our customers and don’t want others to be left without the possibility of knowing that they at risk as well.

Wider Warning

Due to the fact that the vulnerability might be being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using a vulnerable version of the plugin. Though using our service would help us to catch more vulnerabilities before the might start getting exploited in the first place.

We have also improved an existing check for possible PHP object injection vulnerabilities in our Plugin Security Checker (which is now accessible through a WordPress plugin of its own), so if you check a plugin that contains a possible PHP object injection vulnerability caused by similar code, it will now be flagged.

Our Plugin Security has flagged several other possible issues in the plugin, so if you are using the plugin you may want to have the security of the plugin more thoroughly reviewed (something we offer as part of our main service and a separate service).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/?wpmlmethod=paypal" method="POST" >
<input type="hidden" name="custom" value="O%3A20%3A%22php_object_injection%22%3A0%3A%7B%7D" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • March 1, 2018 – Developer notified.
  • March 2, 2018 – Developer responds.
  • March 12, 2018 – Version 4.6.8.6 released, which fixes vulnerability.
02 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WL Katalogsøk

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WL Katalogsøk, user input is passed through the unserialize() function, which could lead to PHP object injection, when visiting a page using one of its shortcodes.

The plugin makes the function showSingleItem() available through a shortcode:

4
add_shortcode("wl-ils-enkeltpost", array('MBShortcode', "showSingleItem") );

That function, which is located in the file /lib/WL_Shortcode.php, assigns the value of the GET input “enkeltpostinfo” to the variable $info and then unserializes the base64_decoded version of it:

87
88
89
90
91
public static function showSingleItem ($atts) {
  $postout = null;
 
  if ( $info = _is($_GET, 'enkeltpostinfo') ) {
    $item_info = unserialize(base64_decode($info));

Even if the shortcode that causes that function to run is not used on the website, any one logged in to WordPress could access it, like they can shortcodes in general, through WordPress’ AJAX functionality and the vulnerability is also exploitable that way as well.

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, visiting the following page will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to page with enkeltpostinfo shortcode]” with the location of a page with the shortcode “enkeltpostinfo” on it.

http://[path to page with enkeltpostinfo shortcode]?enkeltpostinfo=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=

Timeline

  • February 22, 2018 – Developer notified.
22 Feb

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, PWAMP, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that.

The vulnerability occurred in the function after_setup_theme(), located in the file /pwamp.php, where the value of the cookie “pwamp_args” is passed through the unserialize() function, which can lead to PHP object injection:

309
$args = unserialize(stripslashes($_COOKIE['pwamp_args']));

That function will run after the theme is loaded when the device type is set to mobile, which can be done by setting the value of the cookie “pwamp_style” to mobile:

564
add_action( 'after_setup_theme', array($this, 'after_setup_theme') );

After we notified the developer of the issue they released version 1.0.1, which resolves the vulnerability by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

309
$args = json_decode(stripslashes($_COOKIE['pwamp_args']));

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “pwamp_args” to “O:20:”php_object_injection”:0:{}” and the value of the cookie “pwamp_style” to “mobile”, and then when you visit a frontend page the message “PHP object injection has occurred.” will be shown.

Timeline

  • February 21, 2018 – Developer notified.
  • February 21, 2018 – Developer responds.
  • February 22, 2018 – Version 1.0.1 released, which fixes vulnerability.