Login

Tag Archives: PHP Object Injection

11 Aug 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a PHP object injection vulnerability in the plugin Soprop Connector.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

3 Sep 2019

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WP BASE Booking of Appointments, Services and Events

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a PHP object injection vulnerability in the plugin WP BASE Booking of Appointments, Services and Events.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool flags the possibility of other issues in this plugin as well. [Read more]

12 Aug 2019

Vulnerability Details: PHP Object Injection in Formidable Forms

One of the changelog entries for the latest version of Formidable Forms is “Security: Fix vulnerability with unserializing.” Looking at the changes made confirmed what that suggests, there was a PHP objection injection in the plugin. It seems possible there could still be an issue if using addons for the plugin, but with the plugin itself it has been fixed.

[Read more]

19 Jul 2019

A Hacker Looks to be Probing for the WordPress Plugin Easy Property Listings, These Vulnerabilities Might Be Why

Yesterday we had what looks to be a hacker probing for usage of the plugin Easy Property Listings through requests for these two files:

/wp-content/plugins/easy-property-listings/license.txt [Read more]

18 Mar 2019

Vulnerability Details: PHP Object Injection in Easy WP SMTP

The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. Looking at the changes made in that version we noticed that in the import portion of that there was previously a PHP object injection vulnerability and there is still a CSRF issue related to that.

[Read more]

20 Nov 2018

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line: [Read more]

15 Nov 2018

Full Disclosure of PHP Object Injection Vulnerability in WordPress Plugin with 20,000+ Installs

Yesterday as part of our monitoring of WordPress plugins’ changelogs for indications that vulnerabilities have been fixed, so that we can add those vulnerabilities to our data set, the plugin Yet Another Stars Rating popped up. The changelog entry for the latest version of that is “FIXED: security fix”. Looking at the change made in that version that is accurate as code that prevents cross-site request forgery (CSRF) was fixed so that it would work properly. When we started to look at what might be the significance of that we noticed a more serious issue that still exists in the plugin, it is vulnerable to PHP object injection in at least one location (and probably others as well), which is a type of vulnerability that more advanced hackers have been known to exploit widely.

When using the plugin’s shortcode yasr_visitor_multiset the function yasr_visitor_multiset_callback() is run: [Read more]

7 Nov 2018

Vulnerability Details: PHP Object Injection Vulnerability in WP GDPR Compliance

Yesterday the plugin WP GDPR Compliance was closed on the Plugin Directory, the reason given by the developer is that was done by the “WordPress Plugin Review Team after finding a security flaw“.  It isn’t clear if what is the full explanation of this, but the closure may be related to recent message on a topic on the forum we mentioned before where a plugin was being installed by hackers on websites. It isn’t clear whether there was actually a connection between the security of this plugin and that situation, as the messages states:

[Read more]

1 Nov 2018

PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)

In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.

The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows: [Read more]

26 Oct 2018

Full Disclosure of PHP Object Injection Vulnerability in Patreon WordPress

The unfortunate reality when it comes to WordPress plugins is that there are lots of security issues in them, so even if the people on the WordPress side of things were not working against improving security there would be lots of problems. As an example of that, when the latest version of the plugin Patreon WordPress showed up in our monitoring of changes made to plugins that might involve security vulnerabilities being fixed we found a serious vulnerability unrelated to change we then were looking into. The change made that caused it to appear on our radar doesn’t seem related to a vulnerability, but in looking into that we happened across a PHP object injection vulnerability, which is a type of vulnerability that more advanced hackers have been known to exploit widely, that is in the current version on the plugin.

The line we noticed that might have allowed PHP object injection (located in the file /classes/patreon_routing.php): [Read more]