There has been a new PHP object injection vulnerability that was discovered in a well-known WordPress plugin (with around 60,000 installations at the time of this writing).
This particular vulnerability has a generally high CVSS (Common Vulnerability Scoring System) score of 8.1 (out of 10), and affects the Booking Calendar plugin by wpdevelop/oplugins.
The plugin allows a website owner to book appointments with potential clients (or existing clients) by utilizing the online booking system.
It also comes with the ability to publish a flexible timeline that also shows existing bookings and openings using the following shortcode: [bookingflextimeline].
As reported by Wordfence:
An attacker could control the serialized data via several methods:
- If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
- Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
- An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.
Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.
Be Sure to Patch Your Plugins If You Haven’t Done So Already
We recommend upgrading your plugins to the newest version, because they have been patched.
By making sure that you’re upgraded to the latest versions, you don’t run the risk of becoming compromised by hackers exploiting these vulnerabilities.
Also, if you haven’t done so already, be sure to add a security plugin to your site like Wordfence, so that it can also check for these types of vulnerabilities for you.