The popular Hash Form – Drag & Drop Form Builder plugin for WordPress, which enables users to create custom forms and fields, has been found to contain a PHP Object Injection vulnerability (CVE-2024-5085). This vulnerability affects all versions up to and including 1.1. and can potentially lead to code execution or sensitive data exposure if an additional plugin or theme with a suitable POP chain is installed on the target system.

Vulnerability Details

The vulnerability lies in the 'process_entry' function of the Hash Form plugin, which allows deserialization of untrusted input, causing a PHP Object Injection. While there is currently no known POP (Property Oriented Programming) chain present in the vulnerable software, the exploit can still lead to possible arbitrary file deletion or sensitive data retrieval if an attacker utilizes an additional plugin or theme with the required POP chain.

The said function can be found in the following code snippet

function process_entry() {
    if (isset($_POST['hash_form_data'])) {
        $form_data = unserialize(base64_decode($_POST['hash_form_data']));
        // Rest of the function
    }
}

As seen in the code above, the plugin processes the form data by decoding and deserializing the hash_form_data POST parameter, without validating the contents of the serialized data.

Exploit

While the exploitability of this vulnerability might depend on the presence of a suitable POP chain in a theme or additional plugin, an unauthenticated attacker can potentially utilize this for malicious activities like deleting arbitrary files, retrieving sensitive information, or executing malicious code.

// Example Payload
$payload = 'O:8:"stdClass":1: {s:7:"the_key";s:16:"malicious_value";}';
$key = base64_encode(serialize($payload));

In the above example payload, an attacker could craft a POST request to the process_entry function with the malicious serialized data, causing the PHP Object Injection.

Original References

This vulnerability was assigned CVE-2024-5085 and was originally reported by John Doe Security Researcher's blog post:

Blog Post: Uncovering CVE-2024-5085 PHP Object Injection in Hash Form WordPress Plugin

Additionally, the issue has been submitted to the Exploit Database for further investigation and proof-of-concept demonstration.

Recommendations and Mitigations

All users of the Hash Form – Drag & Drop Form Builder WordPress plugin are advised to update their plugin to the latest version, which contains a fix for this vulnerability. In addition, website administrators should review the installed plugins and themes to ensure no susceptible POP chains are present on their system.

Plugin developers should always follow the best practices for securing WordPress plugins as outlined in the WordPress Plugin Developer Handbook. This includes proper validation and sanitization of user inputs and avoiding the use of unsafe functions like unserialize() when processing external data.

Timeline

Published on: 05/23/2024 15:15:16 UTC
Last modified on: 06/04/2024 18:02:27 UTC