Object Injection Vulnerability Affects WordPress Versions 3.7 to 5.7.1

  • May 17, 2021
WordPress Vulnerablity Disclosre

If you haven’t updated your WordPress website since October 2013, this wouldn’t affect you, but we strongly hope that is not the case! There’s a new object injection vulnerability which affects WordPress versions 3.7 to 5.7.1. Be sure to get updated to 5.7.2 as soon as possible!

According to WPScan, the new object injection vulnerability is due to versions of PHPMailer library between 6.1.8 and 6.4.0. The original CVE can be found here.

As per the Open Web Application Security Project:

PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

Object Injection Vulnerability in PHPMailer

Fortunately, the critical vulnerability is in PHPMailer, and not WordPress itself. So far we haven’t seen any websites getting infected through this vector. A number of different stars would have to align for the attackers to actually exploit this in a real world setting. WordPress doesn’t allow direct access to PHPMailer as all that is done through the WordPress API, where extra protections are in place.

There would need to be at least an additional vulnerability in another software component in place on the website – or an active compromise already taking place – for this to be an actual attack vector, so readers of the blog don’t need to lose any sleep over this. The attacker would need permission to upload an attachment using the PHPMailer software. Nevertheless, website administrators should follow best practices and update their software as soon as they are able to.

This vulnerability is a good example of how one vulnerability going undetected can be amplified when it’s used together with others.

Sign up to our newsletter to be notified of website security notes.

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than a decade of working with infected websites of every variety with a special focus on eCommerce / credit card theft malware. When Ben isn't slaying malware you might find him producing music, gardening, or skateboarding around Victoria.

Related Tags
Related Categories
You May Also Like