A WordPress vulnerability has been given a critical classification because it has been patched. However, according to one of the security researchers, the critical vulnerability is being exploited remotely.
This is why WordPress users are being asked to update to version 5.7.2 as soon as possible, as the most recent version of the world’s most popular CMS has a security patch that resolves the aforementioned major vulnerability.
WordPress version 5.7.2 is currently the latest version that has been patched. While the patch update is now available for manual download, WordPress sites that have automatic downloads enabled will receive it without needing to do anything else.
Publishers are still suggested to determine what WordPress version they are using, as they must use version 5.7.2.
Object Injection Vulnerability
The CVE-2020-36326 vulnerability affects WordPress versions 3.7 to 5.7 and has a critical severity level of 9.8 because it could let an attacker carry out a number of harmful actions against an unpatched site.
An Object Injection vulnerability is referred to as the said security issue that affects WordPress. In the PHPMailer vulnerability, however, it is an object injection.
The PHP Object Injection Vulnerability is defined much more clearly on the Owasp.org security website. PHP Object Injection is an application-level vulnerability that allows an attacker to carry out a variety of harmful attacks, according to the report. Depending on the circumstances, it may also lead them to use Code Injection, Path Traversal, SQL Injection, and Application Denial of Service.
“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.”
When user-supplied input is not properly sanitized, a major vulnerability arises. Because PHP supports object serialization, attackers can send arbitrary strings to the un-serialized call. As a result, a large number of random PHP objects will be injected into the application scope.
Ram Gall of Wordfence outlined how an attacker may potentially exploit this issue in a new blog post, saying:
“Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins. In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment.”
9.8/10 Critical Score
The vulnerability is rated towards the top of the criticality scale. This exploit is scored 9.8 on a scale of 1 to 10 by the Common Vulnerability Scoring System (CVSS). The official United States government vulnerability rating is also published on the Patchstack security website.
According to the Patchstack security site that published details of the vulnerability:
“DETAILS: Object injection in PHPMailer vulnerability discovered in WordPress (one security issue affecting WordPress versions between 3.7 and 5.7).
SOLUTION: Update the WordPress to the latest available version (at least 5.7.2). All WordPress versions since 3.7 have also been updated to fix the following security issue.”
On the other hand, the official WordPress announcement for WordPress 5.7.2 stated the following:
“Security updates: One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues: Object injection in PHPMailer.”
As a result, the best approach is to update WordPress to the most recent version. It updates the security problem that affects WordPress versions 3.7 and 5.7. The remedy is, once again, an upgrade to address the security concerns.
This problem occurred because a remedy for a previous vulnerability produced a new one, according to the official United States government National Vulnerability Database website, which announces flaws.
The U.S Government National Vulnerability Database describes the vulnerability like this:
“PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: This is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.”
Wordfence: No Reason to Panic
There’s no reason to fear, according to Wordfence security researchers. Wordfence, in its professional judgment, downplayed the chances of an exploit occurring as a result of this vulnerability.
“In our assessment, successfully exploiting this vulnerability would require a large number of factors to line up, including the presence of at least one additional vulnerability in a plugin or other component installed on the site as well as the presence of a vulnerable magic method.
We are also currently unaware of any plugins that could be used to exploit this vulnerability even as a site administrator.
This is unlikely to be used as an intrusion vector, though it is possible that it could be used by attackers who have already gained some level of access to escalate their privileges.”
Wordfence went on to say that, despite this, it is strongly advised that users update to the current version of WordPress as soon as possible, because the sheer volume of WordPress installations means that vulnerable sites are very certain to exist. Furthermore, the vulnerability could be easier to attack than originally thought, or the original researchers or other players could disclose more thorough proof-of-concept code in the future.
Furthermore, they stated that the built-in PHAR Deserialization protection in the Wordfence firewall should protect all of the users, including Wordfence Premium customers and those still using the free version, from any efforts to exploit this issue.