On October 6, 2020, our Threat Cleverness group discovered a High-Severity Item Injection vulnerability in Welcart e-Commerce, a WordPress plugin with more than 20,000 installations that claims top market reveal in Japan.
After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Complete disclosure was delivered on October 12, 2020, and the plugin had been patched in edition 1.9.36 on October 20, 2020.
Wordfence Premium clients received a firewall guideline avoiding this vulnerability on October 9, 2020. Sites nevertheless using the free edition of Wordfence will receive this principle after 1 month on November 8, 2020.
Affected Items: Welcart e-Commerce
Plugin slug: usc-e-shop
Affected Variations: < 1.9.36
CVE ID: Pending
CVSS Rating: 7.5 (Higher)
Completely Patched Version: 1.9.36
Welcart e-Commerce is really a WordPress plugin which you can use to create an web store with another customer account region. It uses its cookies, individual from the people used by WordPress, to be able to track user periods. Every demand to the website results in the usces_cookie getting parsed by the
get_cookie function. This perform used usces_unserialize to decode the contents of the cookie.
functionality get_cookie($key='usces_cookie') $values = isset($_COOKIE[$crucial]) ? usces_unserialize(stripslashes($_COOKIE[$key])) : NULL; return $values;
perform usces_unserialize( $data ) if( is_serialized( $information ) ) return @unserialize( $data ); if( is_array( $information ) ) return $data; return @json_decode( $information, true );
Unfortunately, this meant an attacker could send the request with the usces_cookie parameter set to the specially crafted string which, as soon as unserialized, would inject the PHP object.
PHP Object injections need a vulnerable magic solution to be present to be able to fully exploit what’s referred to as a POP chain. We’ve described POP chains before in a previous article. A POP chain enables an attacker to utilize what are referred to as magic methods to be able to obtain remote program code execution, delete arbitrary data files, or perform other activities that could enable them to dominate a site.
This plugin included a library, tcpdf, which has a
__destruct magic method which could possess been used to make a POP chain under other circumstances. Fortunately, a whole POP chain had not been present as the plugin unserialized the cookie prior to the
TCPDF course was loaded and described, so it had not been achievable to inject an item with this particular class.
In more very good news, this vulnerability cannot be exploited with the recently patched issue within the WordPress core’s Requests_Utility_FilteredIterator class, because the usces_unserialize function used the is_serialized function to choose whether to unserialize the cookie data and attacks against Requests_Utility_FilteredIterator failed this check.
October 6, 2020 – Our Threat Intelligence group discovers a PHP Object Injection vulnerability in Welcart e-Commerce.
October 9, 2020 – Our Threat Intelligence group finishes examining the vulnerability and contacts the plugin’s publisher. A firewall guideline is launched for Wordfence Superior users.
October 12, 2020 – We deliver the entire disclosure to the plugin’s publisher.
October 20, 2020 – An adequate patch for Welcart e-Commerce is released.
November 8, 2020 – The Wordfence Firewall rule becomes open to sites working the free edition of Wordfence.
In today’s content, we detailed the PHP Object within the Welcart e-Commerce plugin. Wordfence Premium users have already been protected from this vulnerability since October 9, 2020. Sites nevertheless running the free edition of Wordfence have the firewall principle on November 8, 2020.
We recommend updating to the most recent version, 1.9.36 around this writing, as quickly as possible. If somebody you know is making use of Welcart e-Commerce, we suggest sharing this advisory using them to allow them to take necessary activity to safeguard their site.
The post Object Injection Vulnerability in Welcart e-Commerce Plugin appeared first on Wordfence.