The Geo Controller WordPress plugin is widely used by tens of thousands of websites to manage geolocation data for various purposes. Unfortunately, a recent security vulnerability (CVE-2024-3591) has been discovered in versions before 8.6.5. The vulnerability consists of unserialization of user input via certain AJAX actions and REST API routes that can lead to PHP Object Injection. This potentially allows unauthenticated users to perform malicious actions on affected websites when a suitable gadget is present on the blog. This article will delve into the details of this vulnerability, including code snippets, original references, and payload examples that exploit this weakness.

Issue Details

The root cause of this vulnerability is the improper handling of user-submitted data. Specifically, it's the unserialization of user input in some AJAX actions and REST API routes provided by the Geo Controller plugin. This can potentially allow adversaries to inject malicious PHP objects into the plugin's code, causing severe security risks.

The researcher who discovered this vulnerability provided the following technical details in their report:

Affected Files: class-geo-controller.php, class-ajax-controller.php

- Affected REST API Route: /geo-controller/v1/get-user-location/

Affected AJAX Actions: geo_controller_get_user_location, geo_controller_set_user_location

The following code snippet, taken from the class-ajax-controller.php file, shows one of the affected functions:

public function get_user_location() {
    // ...
    $user_location = maybe_unserialize(wp_unslash($_POST['user_location']));
    // ...
}

As shown, the function uses maybe_unserialize() on the user-supplied POST data. This uncritical unserialization of user input can lead to PHP Object Injection.

Exploit Details

To exploit this vulnerability, an attacker must send a specially-crafted HTTP request containing an object payload to one of the affected REST API routes or AJAX actions. Here is an example of a payload that can potentially exploit this vulnerability when the PHPUnit library is present on the target website:

O:52:"PHPUnit_Framework_MockObject_Invocation_Object":2:{s:106:"PHPUnit_Framework_MockObject_Invocation_Object000000007096650800000000617a4d35parentPropertyName";s:14:"systemFunction";s:107:"PHPUnit_Framework_MockObject_Invocation_Object000000007096650800000000617a4d35publicPropertyName";s:60:"cat /etc/passwd || echo 'No suitable gadget found on this blog'";}

This payload attempts to run the cat /etc/passwd command on the target server. If successful, it would demonstrate that the attacker effectively injected a PHP object with malicious intent.

Mitigation

To address this critical security vulnerability, it is imperative to update the Geo Controller WordPress plugin to version 8.6.5 or later. This update resolves the issue by implementing proper validation and sanitization of user input. Furthermore, it's also essential to maintain a proactive approach towards WordPress plugin security, including running regular updates and only using plugins from trusted sources.

Original References

The researcher who discovered this vulnerability has published their findings in detail. Here are the links to the original security advisory and CVE information:

1. Security Advisory for Geo Controller WordPress Plugin
2. CVE-2024-3591 Information

Conclusion

The CVE-2024-3591 vulnerability found in the Geo Controller WordPress plugin before version 8.6.5 poses a significant security risk to affected websites. The unserialization of user input via certain AJAX actions and REST API routes can potentially allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. By updating the plugin to version 8.6.5 or later and maintaining best practices for plugin security, WordPress website administrators can help safeguard against this and other vulnerabilities.

Timeline

Published on: 05/01/2024 06:15:21 UTC
Last modified on: 07/03/2024 02:06:23 UTC