On March 1 we had a request on this website for a file that would be located at wp-content/plugins/newsletters-lite/readme.txt. That is file from the plugin Newsletters and our guess would be that the request was from a hacker probing for usage of the plugin in preparation to try to exploit a vulnerability in it. In looking over the plugin we found a PHP object injection vulnerability that might be what be what a hacker would be interested in exploiting, since that is a type of vulnerability they frequently target.

The plugin’s function init() in the file /wp-mailinglist.php runs during, not surprisingly, init:

64

$this -> add_action('init', 'init', 11, 1);

So it will run whenever WordPress loads.

In that function the variable $method is assigned the value of the GET input “wpmlmethod”:

710

$method = (empty($_GET[$this -> pre . 'method'])) ? $wpmlmethod : esc_html($_GET[$this -> pre . 'method']);

That is then used in a switch statement:

1378

switch ($method) {

If $method is set to “paypal” the value of the POST input “custom” urldecoded and then unserialized, which can lead to PHP object injection:

1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781

case 'paypal'			:
	global $Html, $SubscribersList;
	$req = 'cmd=_notify-validate';
 
	foreach ($_POST as $pkey => $pval) {
		$pval = urlencode(stripslashes($pval));
		$req .= "&" . $pkey . "=" . $pval . "";
	}
 
	$paypalsandbox = $this -> get_option('paypalsandbox');
 
	$custom = maybe_unserialize(urldecode($_POST['custom']));

We notified the developer of the situation within hours of us receiving the requests on the 1st and explained we would need to disclose the vulnerability shortly, but we could hold back disclosure for a short time if they provided us a timeline on it being fixed. The next day they responded without a timeline, but said they were working on fix. It has now been three days and that has yet to been released.

Considering that this is a monetized plugin the developer should be able to promptly fix a vulnerability that may already be being exploited. Three days is more than enough time to do that, so we are going ahead with the disclosure as we need to warn our customers and don’t want others to be left without the possibility of knowing that they at risk as well.

Wider Warning

Due to the fact that the vulnerability might be being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using a vulnerable version of the plugin. Though using our service would help us to catch more vulnerabilities before the might start getting exploited in the first place.

We have also improved an existing check for possible PHP object injection vulnerabilities in our Plugin Security Checker (which is now accessible through a WordPress plugin of its own), so if you check a plugin that contains a possible PHP object injection vulnerability caused by similar code, it will now be flagged.

Our Plugin Security has flagged several other possible issues in the plugin, so if you are using the plugin you may want to have the security of the plugin more thoroughly reviewed (something we offer as part of our main service and a separate service).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/?wpmlmethod=paypal" method="POST" >
<input type="hidden" name="custom" value="O%3A20%3A%22php_object_injection%22%3A0%3A%7B%7D" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• March 1, 2018 – Developer notified.
• March 2, 2018 – Developer responds.
• March 12, 2018 – Version 4.6.8.6 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?