Login
5 Sep 2017

PHP Object Injection Vulnerability in Booster for WooCommerce

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a PHP object injection vulnerability in the Email Verification module of the plugin Booster for WooCommerce.

When the Email Verification modules is enabled (it and all of the other modules are disabled by default) the function process_email_verification() in the file /includes/class-wcj-emails-verification.php is run during init:

32

add_action( 'init',                              array( $this, 'process_email_verification' ),                      PHP_INT_MAX );

That function will unserialize the value of the GET input “wcj_verify_email”, which can be abused to cause PHP object injection to occur:

111
112
113

function process_email_verification(){
	if ( isset( $_GET['wcj_verify_email'] ) ) {
		$data = unserialize( base64_decode( $_GET['wcj_verify_email'] ) );

The developer put in fix for the vulnerability in the development version of the plugin six days after we notified them of it, but a new version still has yet to be released a month later. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, visiting the following URL while logged in to WordPress will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/?wcj_verify_email=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=

Timeline

  • August 4, 2017 – Developer notified.
  • August 10, 2017 – Developer responds.
  • September 11, 2017 – Version 3.1.0 released, which fixes vulnerability.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *