The Sassy Social Sharing plugin is another vulnerability on our list that needs to be updated on your side as quickly as possible.
It has what’s called a PHP object injection vulnerability.
Essentially, the way it works is that a developer could write code that utilizes the unserialize() function. Objects can be stored somewhere in PHP. Using this function, objects can be converted from their stored form, which is similar to text, back to an object that exists basically in memory.
This is a standard task within PHP that developers do all the time. And these functions – serialize() and unserialize() are methods developers can use to store and retrieve objects in the code.
The serialize() function turns an object into text and makes the text ready for storage. The unserialize() function reverts this text back into an object again. This object can then be utilized in an application.
Many developers make the mistake of assuming that their objects – when they are unserialized – are safe. A potential attacker, however, could theoretically gain remote code execution on any website or any application written in PHP if they can send malicious data to the unserialize() function, and then later have it executed by this allegedly safe application.
This means that a full site takeover could be possible because of this vulnerability.
Sassy Social Share: The WordPress Vulnerability
The threat in the Sassy Social Share plugin was discovered on August 31, 2021.
The vulnerability in this case is a way for any subscriber-level user to gain remote code execution and ultimately take over a site that’s vulnerable to this attack.
Through this susceptibility any attacker could import settings into the plugin and inject any available PHP Objects as part of a POP Chain. This chain is a code execution sequence that is usually exploited by the attacker in the application.
WordPress Vulnerability Threat Level
The threat level is not significantly high, but still high enough to be considered serious.
It’s a CVSS (Common Vulnerability Scoring System) vulnerability threat level of 6.3, which is considered medium.
Why the Vulnerability Occurred
The vulnerability was introduced when the Sassy social plugin released a new feature through an update.
This new feature provided users with the ability to both import and export settings for the plugin.
However, the feature itself was not securely implemented, which made it possible for any authenticated user to import any plugin settings, including the arbitrary injection of PHP objects.
The way this vulnerability worked within the plugin was that the functionality utilized the wp_ajax_heateor_sss_import_config AJAX action, which hooks into the function import_config.
The insecure part of this implementation is that the function had zero capability checks, and nonce protection was nonexistent. This meant that any authenticated user was capable of triggering the AJAX action.
Why the Vulnerability is So Dangerous
The simplest form of this vulnerability can be utilized to import and override any existing settings for the plugin. But, this does not stop at that point. The unserialize function on user-created content in the config parameter, during the import, would allow any attacker to craft a payload which can call alternative PHP classes and perform certain actions if a “vulnerable magic method was present in another piece of software installed on the same site,” as reported by Wordfence.
This is known as PHP Object Injection.
Here is an example:
If a vulnerable version of the Sassy Social Plugin exists on a website, then attackers have many privileges available to them including the creation of new files, the deletion of existing files, the ability to execute remote commands, and much more.
Any vulnerable WordPress site suffering from this could be taken over by such attackers.
Update Your Plugins!!
We can’t say this enough: updating your Sassy Social Plugin is critical in order to patch this particular vulnerability.
Otherwise, you could run the risk of your site being taken over by attackers.
It’s also a good idea to keep your plugins updated regularly, if you don’t do so already.
