PHP Object Injection Vulnerability in TAKETIN To WP Membership

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found a PHP object injection vulnerability in the TAKETIN To WP Membership plugin.

In the file /classes/taketin-mp-utils.php the function getMessage() as of version 1.2.7 would unserialize the value of the cookie “taketin_mp_error”, which permitted PHP object injection:

public static function getMessage(){
	if(!isset($_COOKIE[TMP_ERR_MSG_COOKIE_KEY])){
		return false;
	}
	$mess = unserialize(base64_decode($_COOKIE[TMP_ERR_MSG_COOKIE_KEY]));

One of the places that function is called is in the file /views/forgot_password.php:

10	$msg = TaketinMpUtils::getMessage();

That file is included by the function reset() (in the file /classes/taketin-mp-membership.php):

public function reset() {
	//$succeeded = $this->notices();
	//if ($succeeded) {
	//    return '';
	//}
	ob_start();
	//Load the forgot password template
	$template_files = TMP_MEM_PATH . 'views/forgot_password.php';
	require( $template_files );

That function is called when the shortcode “tmp_reset_form” is used:

20	add_shortcode('tmp_reset_form', array(&$this, 'reset'));

Less than day after we notifying the developer of the vulnerability they released version 1.2.8, which fixes the vulnerability by replacing usage of unserialize() with json_decode() (as well as replacing a connected usage of serialize() with json_encode()):

352	$mess = json_decode(base64_decode($_COOKIE[TMP_ERR_MSG_COOKIE_KEY]), true);

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “taketin_mp_error” to “TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=” and then when you visit a post or page with the shortcode “tmp_reset_form” on it the message “PHP object injection has occurred.” will be shown.