CVE-2024-10828: Advanced Order Export For WooCommerce Plugin Vulnerability Leads to PHP Object Injection & Remote Code Execution

The Advanced Order Export For WooCommerce plugin, a popular WordPress plugin used for exporting orders and other related data, has been found to be vulnerable to PHP Object Injection attacks in all versions up to and including version 3.5.5 when the "Try to convert serialized values" option is enabled. This vulnerability makes it possible for unauthenticated attackers to inject a PHP Object and could potentially lead to remote code execution on the server. This post will explore the vulnerability details, provide a code snippet to demonstrate the issue, and discuss possible mitigation strategies.

Vulnerability Details

The CVE-2024-10828 vulnerability is caused by the deserialization of untrusted input during the Order export process in the Advanced Order Export For WooCommerce plugin. This deserialization is performed via the maybe_unserialize() function, which is intended to convert serialized values back into their original data structure if the "Try to convert serialized values" option is enabled.

As mentioned in the Original Security Advisory, PHP Object Injection attacks allow an attacker to inject arbitrary PHP Objects into the application's scope. This injection can then lead to the execution of arbitrary code outside the active application.

The following code snippet demonstrates how the insecure deserialization occurs within the plugin

function order_export_process($settings) {
    ...
    if ($settings['try_to_convert_serialized_values'] == 1) {
        ...
        foreach($value as $key => $subvalue) {
            $value[$key] = maybe_unserialize($subvalue);
        }
    }
    ...
}

As we can see, the maybe_unserialize() function is called for each value of the $value array when the "Try to convert serialized values" option is enabled.

First, the attacker crafts a serialized PHP Object that encapsulates the desired malicious action.

2. The attacker then makes a request to the vulnerable plugin's ajax_generate_feed() endpoint, which triggers the order_export_process() function.
3. The crafted serialized PHP Object payload is passed within the request in a parameter, such as the convert_serialized_values parameter.
4. The payload is then deserialized by the maybe_unserialize() function, which creates and executes the malicious PHP Object.

Additionally, if a POP (Property-Oriented Programming) chain is present in the server, it could allow the attacker to delete arbitrary files by chaining the desired malicious action, further leading to remote code execution.

Mitigation Strategies

Given the critical nature of this vulnerability, it is advised to promptly apply the following mitigation strategies:

1. Update the Advanced Order Export For WooCommerce plugin to the latest version (3.5.6 or newer) as it contains a fix for this vulnerability.
2. Disable the "Try to convert serialized values" option in the plugin settings if it is enabled to prevent the deserialization of untrusted input.
3. Regularly update all WordPress plugins and the WordPress core software to minimize the risk of similar vulnerabilities in future.

Conclusion

CVE-2024-10828 demonstrates the potential impact of PHP Object Injection vulnerabilities in WordPress plugins. As this vulnerability has been patched in the most recent version of the Advanced Order Export For WooCommerce plugin (3.5.6), it is highly recommended to update the plugin as soon as possible. Furthermore, keeping a constant eye on security updates and best practices can significantly reduce the risk of such vulnerabilities being exploited against your website.

Timeline

Published on: 11/13/2024 04:15:04 UTC
Last modified on: 11/19/2024 17:41:59 UTC