MarketPress <= 3.2.6 - PHP Object Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The MarketPress plugin (installs to a directory named wordpress-ecommerce) versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin.
Proof of Concept
Send an object to the site using the mp_globalcart_* cookie value and it will be unserialized on the request.

Vulnerable code snippet: 

wordpress-ecommerce/includes/common/class-mp-cart.php
   385                  $this->_cookie_id = 'mp_globalcart_' . COOKIEHASH;
   386                  $this->_items     = array( $this->_id => array() );
   387
   388                  if ( $cart_cookie = mp_get_cookie_value( $this->_cookie_id ) ) {
   389                          // Clean cookie from none product items
   390                          $cart_cookie_items = unserialize( $cart_cookie );

Affects Plugin

fixed in version 3.2.7

References

URL https://premium.wpmudev.org/project/e-commerce/
URL https://plugins.trac.wordpress.org/changeset/1735475/wordpress-ecommerce

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Robert R
Submitter Website https://pagely.com
Submitter Twitter @iamlei
Views 98
Verified No
WPVDB ID 8917

Timeline

Publicly Published 2017-10-01 (23 days ago)
Added 2017-09-28 (26 days ago)
Last Updated 2017-09-28 (26 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.