One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the cross-site request forgery (CSRF)/PHP object injection vulnerability we found in the plugin WP Docs. This vulnerability could have allowed an attacker that could get a logged in Administrator to visit a URL the attacker controls, to unintentionally exploit a PHP object injection vulnerability.
What lead us to that was the possibility of a file upload vulnerability in the plugin, but before we got to the code for that we noticed the possibility that a PHP object injection would occur first, in a way that we haven’t seen before, so we focused on that. [Read more]