Core team had put some effort into project in order to preven unserialize of user input via phar stream wrapper. In general, efforts are good, but to excelent there are two more grades and this is the max with this approach. In the core there is function path_join that accepts two parameters $base and $path. $path is then sent towards function path_is_absolute and from the code …
WordPress introduced maybe_unserialize and maybe_serialize as security functions in the past and they are deeply integrated in the core. Usually for backward compatibility or improper usage in the past, many software vendors are using multiple maybe_unserialize towards values that could be planted into DB with lower number of maybe_serializecalls. Eli5 PoC and if you think that this code isn’t existing then …
If we execute the following MySQL query against WP database we will get results in case we had already uploaded media in the past This is sort of “feature” of MySQL RDBMS, but what this means from WP aspect. It means a lot, because in the past there were account take over / backdoor vulnerabilities …
Native WordPress importer have 3 different parser classes: WXR_Parser_SimpleXML, WXR_Parser_XML and WXR_Parser_Regex. If first two required PHP extensions (simplexml and xml) aren’t installed or somehow they fail during export file parsing, then everything should be done by WXR_Parser_Regex class. Failing could occure because: malformed XML file Huge XML file with lot of data (libxml doesn’t obay memory constraints from php.ini) most important one: …
Few months back security research regarding WP learning platforms got my attention. From writing there and change logs it was obvios that some of the SQLi vulnerabilities remained in the code and what is more interesting it is easy to be escalated to RCE. Eli5 PoC Into function learn_press_duplicate_post_meta which is called from learn_press_duplicate_post we have the following: From …
This bug is 0day, but same as this bug was reported in the past. Try to fix here and fix here. Anyway, in the Woo code there is another DB query that modifies serialized PHP content outside from serialize / unserialize PHP functions and that results into user object injection. Beside numerous tries to harden WP, …
WordPress is on the auto-updates train for everything lately and they do it for “security”. Auto-updates from core is approach and it is same for everything, so let we see what is doing under the hood. There is function update_core and that is the place where magic is happening. WP core is deciding via get_core_checksums what files need to …
WordPress project have put a lot of effort to prevent meddling with _wp_attached_file meta value. Part of this effort was put into wordpress-importer plugin as part of the core, but… Few versions back there was possibility to bypass those restrictions with \ WP “magic”, but there are few more techniques. Eli5 PoC class-wp-import.php method is_valid_meta_key we have the following: and Do you …
Big efforts were put into validation and verification of image uploads in WP as a project. Yet, that isn’t completed task. In the WP core there is function wp_upload_bits which allows to be “uploaded” file with any content with any of the allowed extensions. Beside its widespread usage around eco system there are two places in the core …
It is common knowledge that non binary safe functions in PHP should be avoided e.g. to be replaced from legacy code with binary safe alternatives. What we have in the WP core class-wp-image-editor-imagick and we all know that PHP imagick prefers writeImageFile before writeImage because it is binary safe. What does this mean? This means if WP uses class-wp-image-editor-imagick as default image …