Login

Tag Archives: PHP Object Injection

5 Oct 2018

The Continued Inappropriate Behavior of WordPress Has Lead to This Disclosure of an Exploitable Vulnerability in a Plugin with 30,000+ Active Installs

A lot has been going on for us recently. One of those things is that we have made a big improvement to our ability to detect the possibility of vulnerabilities being fixed in plugins, so that we can add more of them to our data set. That has lead to us reviewing code changes in more plugins and finding more vulnerabilities, which are more serious than the possible issues that might have already been fixed. That today lead to us noticing that there is a PHP object injection vulnerability, which is the type of vulnerability has been the type that more advanced hackers are likely to try exploit, in the plugin WP DSGVO Tools, which has 30,000+ active installs.

Another thing that has gone on is that due to the continued inappropriate behavior by the moderators of the WordPress Support Forum we have started full disclosing vulnerabilities in WordPress plugins until such time that they stop acting inappropriately. They could have already done that and the full disclosures would have stopped, instead so far they have just decide to compound their bad behavior with more of it. What that means is that instead of contacting the developer and letting them know about the vulnerabilities, offering assistance in fixing them, and only after they have had a chance to do, disclosing them, we are just disclosing them. We then try to notify the developers of the full disclosure through the Support Forum. That isn’t a good thing, but the inappropriate behavior of the moderators of the Support Forum is much more of a problem and it needs to finally stop. [Read more]

26 Sep 2018

WordPress Lets Two More Plugins With Easy to Spot Exploitable Vulnerability in to the Plugin Directory

For the second day of our full disclosures of WordPress plugin vulnerabilities due to the continuing inappropriate handling of the moderation of the WordPress Support Forum we are focusing on something that relates to the larger problem when it comes to handling security by the WordPress team. Part of what makes the inappropriate moderation of the Support Forum so harmful, whether intended or not, is that it acts as an active cover up problems, which could be fixed quite easily if the people on the WordPress side of things were interested in fixing them. When they can largely cover up those problems, though, it allows those problems to instead fester since pressure doesn’t build for change since many in the WordPress community are not aware of them.

When a new plugin is submitted to the WordPress Plugin Directory a manual review of the plugin is supposed to be done: [Read more]

17 Sep 2018

Our Proactive Monitoring Caught an Exploitable Vulnerability in Events Made Easy

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In a change made to the plugin Events Made Easy last week, code was added to the plugin that would pass the value of a cookie, “eme_client_time” through the unserialize() function, which could lead to PHP object injection. One of the locations that was added to was in the function eme_client_clock_ajax() in the file /eme_functions.php: [Read more]

9 Jul 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Advanced Advertising System

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin Advanced Advertising System the value of a cookie, “view_aas_campaigns”, is passed through the unserialize() function in a couple of locations, which could lead to PHP object injection. One of those locations is in the function is_available() in the file /shortcode.php: [Read more]

9 Jul 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Giveaway Boost

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin Giveaway Boost the value of a cookie is passed through the unserialize() function, which could lead to PHP object injection. That occurs in the function gb_getcookie(), which is located in the file /includes/cookies.functions.php: [Read more]

25 May 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WordPress Survey & Poll

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WordPress Survey & Poll the value of a cookie, “wp_sap”, was passed through the unserialize() function in several locations, which could lead to PHP object injection. One of those locations was in the function enqueue_custom_scripts_and_styles() in the file /wordpress-survey-and-poll.php: [Read more]

16 Apr 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, Disc Golf Manager, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that. [Read more]

23 Mar 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in DukaPress

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin DukaPress, the value of a cookie was passed through the unserialize() function, which could lead to PHP object injection. That occurred in the function get_cart_cookie() (in the file /classes/dukapress-cart.php): [Read more]

14 Mar 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, HappyForms, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that. [Read more]

8 Mar 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WooCommerce Save For Later Cart Enhancement

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WooCommerce Save For Later Cart Enhancement the value of cookies are passed through the unserialize() function, which could lead to PHP object injection. One of the instances of that occurs is in the function wsfl_add_product_to_cart() (in the file /public/class-woo-save-for-later-public.php): [Read more]