A British researcher has published details of a serious WordPress flaw left unfixed for over a year which could allow for complete system compromise.
Sam Thomas, head of research at Secarma, presented the paper — It’s a PHP Unserialization Vulnerability Jim, but Not as We Know It — to attendees at the BSides conference in Manchester on Thursday.
By uploading a specially crafted file to the targeted app, attackers can trigger a file operation through the "phar://" stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to "unserialize" metadata contained in the file, potentially resulting in execution of malicious code.
Secarma claimed its research reveals that a category of vulnerabilities previously not considered critical can in fact have a major impact on victim systems.
“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”
WordPress is used by millions of web owners around the world including 30% of the world’s top 1000 websites, according to Secarma, meaning hackers could reach a potentially huge number of victims.
The popular open source CMS platform was notified in February 2017 but has yet to fully resolve the issue, according to the UK research firm.
“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organizations react quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.
“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”