Recently there have been claims that hackers have been causing PHP object injection through SQL injection vulnerabilities in WordPress plugins. The details needed to allow others to confirm whether or not that is true had not been provided (which didn’t stop journalist from repeating the claims) and in our testing we were not able to figure out a way to get that to work with the plugins that it has been claimed it had occurred with. It is possible that we have missed something or it is possible that there was a belief that it could occur leading to hackers attempting it, but it really wasn’t possible in those plugins.
One route we looked to recreate the claim was using UNION SELECT as part of the SQL injection to cause a value needed for the PHP object injection to be returned from the SQL statement susceptible to SQL injection. What we have run into in trying that is that we couldn’t get an appropriate value needed for PHP object injection through that, due to the escaping WordPress does of quote marks. [Read more]