02 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WL Katalogsøk

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WL Katalogsøk, user input is passed through the unserialize() function, which could lead to PHP object injection, when visiting a page using one of its shortcodes. [Read more]