MarketPress <= 3.2.6 - PHP Object Injection

Description

The MarketPress plugin (installs to a directory named wordpress-ecommerce) versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin.

Proof of Concept

Send an object to the site using the mp_globalcart_* cookie value and it will be unserialized on the request.

Vulnerable code snippet: 

wordpress-ecommerce/includes/common/class-mp-cart.php
   385                  $this->_cookie_id = 'mp_globalcart_' . COOKIEHASH;
   386                  $this->_items     = array( $this->_id => array() );
   387
   388                  if ( $cart_cookie = mp_get_cookie_value( $this->_cookie_id ) ) {
   389                          // Clean cookie from none product items
   390                          $cart_cookie_items = unserialize( $cart_cookie );

Affects Plugin

wordpress-ecommerce

fixed in version 3.2.7

References

URL	https://premium.wpmudev.org/project/e-commerce/
URL	https://plugins.trac.wordpress.org/changeset/1735475/wordpress-ecommerce

Classification

Type	OBJECTINJECTION

Miscellaneous

Submitter	Robert R
Submitter Website	https://pagely.com
Submitter Twitter	@iamlei
Views	3857
Verified	No
WPVDB ID	8917

Timeline

Publicly Published	2017-10-01 (almost 2 years ago)
Added	2017-09-28 (almost 2 years ago)
Last Updated	2018-08-29 (11 months ago)