Login
5 Sep 2017

PHP Objection Vulnerability in WordPress Meta Data and Taxonomies Filter

Back in June we introduced a new feature to our service where we are trying to proactively catch some serious vulnerabilities in WordPress plugins. The original idea was to catch vulnerabilities as they are being introduced in to plugins, but as we started working on doing that we realized that the way we are trying to do that would also catch existing vulnerabilities if they were in code being changed in a plugin as well. Since we started doing that work we have disclosed 15 vulnerabilities that we have identified (more will be disclosed soon). So far those all had been vulnerabilities that were pre-existing in plugins, but last week for the first time we caught a serious vulnerability as it was introduced in to a plugin. The vulnerability is PHP object injection vulnerability introduced in two locations version 1.2.2 of the plugin WordPress Meta Data and Taxonomies Filter.

That version makes a new function mdf_search_panel() available through WordPress’ AJAX functionality to both those logged in to WordPress and those not logged in (in the file /classes/shortcodes.php):

78
79

add_action('wp_ajax_mdf_search_panel', array(__CLASS__, 'mdf_search_panel'));
add_action('wp_ajax_nopriv_mdf_search_panel', array(__CLASS__, 'mdf_search_panel'));

In that function if the POST input “mdf_search_terms” exists then value of that would be base64 decoded and then passed through the unserialize() function, which permitted PHP object injection to occur:

1050
1051
1052
1053
1054

public static function mdf_search_panel(){
	if(isset($_POST['mdf_search_terms'])){
 
		$data=array();
		$data['filter_data']=  unserialize(base64_decode($_POST['mdf_search_terms']));

The vulnerability also occurred with the AJAX accessible function mdf_add_subscr() in the file /ext/mdf_posts_messenger/mdf_posts_messenger.php.

After we notified the developer they released version 1.2.3, which fixes the vulnerability by replacing the usage of unserialize() with json_decode().

The type of systematic catching of serious vulnerabilities we are doing is something that no other security company with a WordPress focus is even trying to do as far as we are aware and if we had additional customers for our service we could expand it to make the WordPress ecosystem even more secure, which is something that can’t really be said for any of those other companies.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress .

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="mdf_search_panel" />
<input type="hidden" name="mdf_search_terms" value="TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • August 28, 2017 – Developer notified.
  • August 30, 2017 – Developer responds.
  • September 5, 2017 – Version 1.2.3 released, which fixes vulnerability.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *