CVE-2024-31211: WordPress Unserialization Vulnerability in WP_HTML_Token Class Leading to Code Execution

WordPress, one of the most popular open-source publishing platforms for the web, recently encountered a critical security vulnerability. The vulnerability, designated as CVE-2024-31211, affects WordPress 6.4. through 6.4.1 versions and allows for code execution via unserialization of instances of the WP_HTML_Token class. The WordPress development team addressed this issue in the 6.4.2 update, which was released on December 6th, 2023.

Note: WordPress versions prior to 6.4. are not affected by this vulnerability.

Exploit Details

The WordPress unserialization vulnerability is rooted in the PHP __destruct() magic method within the WP_HTML_Token class. Unserialization exploits are particularly dangerous, as they allow attackers to execute arbitrary code, access sensitive data, or even take full control of the vulnerable application.

The issue stems from the way WordPress handles serialized data. When a serialized object of the WP_HTML_Token class is deserialized, the __destruct() method is called automatically, allowing an attacker to execute arbitrary code.

Code Snippet

class WP_HTML_Token {
    private $tagName;

    public function __construct($tagName) {
        $this->tagName = $tagName;
    }

    public function __destruct() {
        if (function_exists($this->tagName)) {
            call_user_func($this->tagName);
        }
    }
}

To exploit this vulnerability, an attacker would craft serialized data containing a malicious function name as the value of the $tagName property, instead of an actual HTML tag name. When this serialized object is deserialized, the __destruct() method will execute the malicious function, granting the attacker code execution privileges.

Original References

1. WordPress Release Notes - Version 6.4.2
2. CVE-2024-31211 - National Vulnerability Database (NVD)
3. WP_HTML_Token Class Source Code

Mitigation

As a WordPress user, taking immediate steps to address this vulnerability is crucial. To mitigate the risk of exploitation:

1. Update your WordPress to the latest version (6.4.2 or later) as soon as possible. The update includes a fix for this vulnerability, making your website secure from this specific exploitation.
2. Evaluate your website's codebase for instances of the WP_HTML_Token class and ensure proper handling of untrusted data - always sanitize user inputs and unserialize only trusted data.

4. Implement a Web Application Firewall (WAF) to add an extra layer of security for your website, as it may provide protection against vulnerabilities like these.

Conclusion

The WordPress unserialization vulnerability, CVE-2024-31211, affects versions 6.4. to 6.4.1 and poses a significant risk to users due to potential code execution. Be sure to take all necessary precautions to protect your WordPress site by updating to version 6.4.2 and implementing the recommended best practices above. Stay informed regarding any future security patches and updates to maintain the security and privacy of your online presence.

Timeline

Published on: 04/04/2024 23:15:16 UTC
Last modified on: 06/04/2024 17:36:13 UTC