ARTICLE AD BOX
A captious severity vulnerability was discovered and patched successful the Better Search Replace plugin for WordPress which has implicit 1 cardinal progressive website installs. Successful attacks could pb to arbitrary record deletions, delicate information retrieval and codification execution.
Severity Level Of Vulnerability
The severity of vulnerabilities are scored connected a constituent strategy with ratings described arsenic ranging from debased to critical:
- Low 0.1-3.9
- Medium 4.0-6.9
- High 7.0-8.9
- Critical 9.0-10.0
The severity of the vulnerability discovered successful the Better Search Replace plugin is rated arsenic Critical, which is the highest level, with a people of 9.8 connected the severity standard of 1-10.
Illustration by Wordfence
Better Search Replace WordPress Plugin
The plugin is developed by WP Engine but it was primitively created by the Delicious Brains improvement institution that was acquired by WP Engine. Better Search Replace is simply a poplar WordPress instrumentality that simplifies and automates the process of moving a hunt and regenerate task connected a WordPress website database, which is utile successful a tract oregon server migration task. The plugin comes successful a escaped and paid Pro version.
The plugin website lists the pursuing features of the escaped version:
- “Serialization enactment for each tables
- The quality to prime circumstantial tables
- The quality to tally a “dry run” to spot however galore fields volition beryllium updated
- No server requirements speech from a moving installation of WordPress
- WordPress Multisite support”
The paid Pro mentation has further features specified arsenic the quality to way what was changed, quality to backup and import the database portion the plugin is running, and extended support.
The plugin’s popularity is owed to the easiness of use, usefulness and a past of being a trustworthy plugin.
PHP Object Injection Vulnerability
A PHP Object Injection vulnerability, successful the discourse of WordPress, occurs erstwhile a user-supplied input is unsafely unserialized. Unserialization is simply a process wherever drawstring representations of objects are converted backmost into PHP objects.
The non-profit Open Worldwide Application Security Project (OWASP) offers a wide description of the PHP Object Injection vulnerability:
“PHP Object Injection is an exertion level vulnerability that could let an attacker to execute antithetic kinds of malicious attacks, specified arsenic Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending connected the context.
The vulnerability occurs erstwhile user-supplied input is not decently sanitized earlier being passed to the unserialize() PHP function. Since PHP allows entity serialization, attackers could walk ad-hoc serialized strings to a susceptible unserialize() call, resulting successful an arbitrary PHP object(s) injection into the exertion scope.
In bid to successfully exploit a PHP Object Injection vulnerability 2 conditions indispensable beryllium met:
- The exertion indispensable person a people which implements a PHP magic method (such arsenic __wakeup oregon __destruct) that tin beryllium utilized to transportation retired malicious attacks, oregon to commencement a ‘POP chain’.
- All of the classes utilized during the onslaught indispensable beryllium declared erstwhile the susceptible unserialize() is being called, different entity autoloading indispensable beryllium supported for specified classes.”
If an attacker tin upload (inject) an input to see a serialized entity of their choosing, they tin perchance execute arbitrary codification oregon compromise the website’s security. As mentioned above, this benignant of vulnerability usually arises owed to inadequate sanitization of idiosyncratic inputs. Sanitization is simply a modular process of vetting input information truthful that lone expected types of input are allowed and unsafe inputs are rejected and blocked.
In the lawsuit of the Better Search Replace plugin, the vulnerability was exposed successful the mode it handled deserialization during hunt and regenerate operations. A captious information diagnostic missing successful this script was a POP concatenation – a bid of linked classes and functions that an attacker tin usage to trigger malicious actions erstwhile an entity is unserialized.
While the Better Search Replace plugin did not incorporate specified a chain, but the hazard remained that if different plugin oregon taxable installed connected the aforesaid website contained a POP concatenation that it could past let an attacker to motorboat attacks.
Wordfence describes the vulnerability:
“The Better Search Replace plugin for WordPress is susceptible to PHP Object Injection successful each versions up to, and including, 1.4.4 via deserialization of untrusted input.
This makes it imaginable for unauthenticated attackers to inject a PHP Object.
No POP concatenation is contiguous successful the susceptible plugin. If a POP concatenation is contiguous via an further plugin oregon taxable installed connected the people system, it could let the attacker to delete arbitrary files, retrieve delicate data, oregon execute code.”
In effect to this discovery, WP Engine promptly addressed the issue. The changelog introduction for the update to mentation 1.4.5, released connected January 18, 2024, highlights the measures taken:
“Security: Unserializing an entity during hunt and regenerate operations present passes ‘allowed_classes’ => mendacious to debar instantiating the entity and perchance moving malicious codification stored successful the database.”
This update came aft Wordfence’s liable disclosure of the vulnerability connected December 18, 2023, which was followed by WP Engine’s improvement and investigating of the fix.
What To Do In Response
Users of the Better Search Replace plugin are urged to update to the latest mentation instantly to support their websites from unwanted activities.
.png)
English (US)