CVE-2024-10957 - UpdraftPlus: WP Backup & Migration Plugin in WordPress is Vulnerable to PHP Object Injection

A recently discovered vulnerability, CVE-2024-10957, affects the UpdraftPlus: WP Backup & Migration Plugin for WordPress. This vulnerability impacts all versions up to and including 1.24.11 of the plugin and allows for PHP Object Injection through deserialization of untrusted input in the recursive_unserialized_replace function.

This post presents a detailed analysis of the vulnerability and discusses the potential risks and mitigations. It includes code snippets, links to original references, and information regarding exploit details.

Original Reference: CVE-2024-10957

Description

PHP Object Injection is an application-level vulnerability that allows attackers to inject a PHP Object into the application. This can happen when user-submitted data is insecurely deserialized and allows an attacker to execute arbitrary PHP code or compromise the application.

In the case of the UpdraftPlus: WP Backup & Migration Plugin, the vulnerability is present in the recursive_unserialized_replace function. Attackers could exploit this function by sending a malicious serialized PHP Object through unauthenticated HTTP requests to trigger this vulnerability.

However, it's essential to note that no known Property-Oriented Programming (POP) chain is present in the vulnerable software. If an additional plugin or theme with a suitable POP chain is installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

An administrator must perform a search and replace action to trigger the exploit.

Code Snippet

The following code snippet demonstrates the vulnerable function within the UpdraftPlus: WP Backup & Migration Plugin:

function recursive_unserialized_replace($from = '', $to = '', $data = '', $serialised = false) {

    // Unserialize the serialized data.
    if (is_string($data) && ($unserialized = @unserialize($data)) !== false) {
        $data = $this->recursive_unserialized_replace($from, $to, $unserialized, true);
    }

    // Return the serialized data.
    if ($serialised) {
        return serialize($data);
    }
}

As we can see in the above code, the function receives input data, potentially coming from untrusted sources, as its parameter. This input data is then passed to the @unserialize function, which can potentially lead to the injection of malicious PHP Objects.

Exploit Details

In order to exploit this vulnerability, an attacker must send a malicious serialized PHP Object through an unauthenticated HTTP request. This request must target the recursive_unserialized_replace function.

The following example demonstrates a potential exploit using a serialized PHP Object

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.site
Content-Length: ...

action=updraft_ajax&subaction=searchreplace&search=oldsite.com&replace=newsite.com&entity=%3bO%3a8%3a%22Template%22%3a1%3a%7Bs%3a4%3a%22name%22%3bO%3a8%3a%22Template%22%3a1%3a%7Bs%3a4%3a%22name%22%3bR%3a2%3b%7D%7D&sequencenumber=1

Mitigation

To protect your WordPress installation from this vulnerability, update the UpdraftPlus: WP Backup & Migration Plugin to its latest version. The plugin author has fixed this vulnerability in version 1.24.12. It's also essential to keep all other themes and plugins up-to-date to ensure that no POP chain can be used by an attacker to compromise your website.

Additionally, it's crucial to follow secure coding practices while developing WordPress plugins and themes. Use the appropriate methods and functions for input validation, input sanitization, and output escaping. Securely handle user input to prevent potential code injection attacks.

In summary, stay vigilant with your WordPress security practices. Keep all plugins and themes up-to-date and follow secure coding standards to protect your installation from vulnerabilities like CVE-2024-10957.

Timeline

Published on: 01/04/2025 14:15:22 UTC