Outdated versions of three popular WordPress plugins suffer from a “critical” zero-day vulnerability that enables an attacker to take over a website.
The bug is a PHP object injection flaw that affects the following plugins: Appointments (versions prior to 2.2.2), Flickr Gallery (versions prior to 1.5.3), and RegistrationMagic-Custom Registration Forms (versions prior to 3.7.9.3).
Together, those plugins have a combined user base of over 21,000 WordPress customers. All three have already received a fix for the security issue, which is rated “Critical” with a CVSS rating of 9.8.
So why such a high rating? Brad Haas, senior security analyst at Wordfence, has the answer:
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php. If the attacker was able to access their backdoor, they could completely take over the vulnerable site.”
Haas and his colleagues came across the vulnerability while they were cleaning up a compromised website. Yes, that means attackers are exploiting the flaw in the wild. So there’s no time to waste.
Premium Wordfence customers are already protected by their WordPress security plugin’s updated firewall rules. Other users would be wise to ensure that they have updated all of their plugins if they feel that they are at risk.
Of course, ensuring that WordPress plugins are regularly patched to protect against known vulnerabilities is always sensible advice. If you administer your WordPress website, make sure you keep your plugins updated.
There have certainly been enough of them over recent years, so it’s good to get into the habit going forward if you haven’t done so already.
Those are only a few of the recently found PHP object injection vulnerabilities in WordPress plugins, so keeping your plugins up to date is critical since you are unlikely to know all of them that have been fixed. Unfortunately, that doesn't resolve the issue as not all of those vulnerabilities get fixed. Below are a couple of PHP object injection vulnerabilities that we found in recent months that haven't been fixed and the plugins are still available in the WordPress Plugin Directory (the second one is in a security plugin):
https://www.pluginvulnerabilities.com/2017/07/31/php-object-injection-vulnerability-in-product-reviews/
https://www.pluginvulnerabilities.com/2017/08/29/php-object-injection-vulnerability-in-wp-smart-security/