If you haven’t updated your WordPress website since October 2013, this wouldn’t affect you, but we strongly hope that is not the case! There’s a new object injection vulnerability which affects WordPress versions 3.7 to 5.7.1. Be sure to get updated to 5.7.2 as soon as possible!
As per the Open Web Application Security Project:
“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.”
Object Injection Vulnerability in PHPMailer
Fortunately, the critical vulnerability is in PHPMailer, and not WordPress itself. So far we haven’t seen any websites getting infected through this vector. A number of different stars would have to align for the attackers to actually exploit this in a real world setting. WordPress doesn’t allow direct access to PHPMailer as all that is done through the WordPress API, where extra protections are in place.
There would need to be at least an additional vulnerability in another software component in place on the website – or an active compromise already taking place – for this to be an actual attack vector, so readers of the blog don’t need to lose any sleep over this. The attacker would need permission to upload an attachment using the PHPMailer software. Nevertheless, website administrators should follow best practices and update their software as soon as they are able to.
This vulnerability is a good example of how one vulnerability going undetected can be amplified when it’s used together with others.
Sign up to our newsletter to be notified of website security notes.