A security researcher at Secarma, Sam Thomas, discovered and mentioned a severe PHP flaw at the Black Hat USA event, 2018. The vulnerability can lead to PHP code execution attack on WordPress websites and can result in full system compromise.

Yes, even after applying layers of protection and several security practices, your WordPress website security can still be compromised. The new PHP code vulnerability is the sinner.

WordPress accounts for more than 60% of the total CMS market. It means more than half of all the websites on the web are exposed to severe danger.

The PHP object injection flaw was first documented in 2009. However, it came in the address last year, on February 28, 2017. The shocking factor is: even after a year of discovery and report, this critical PHP loophole remains unpatched. It makes WordPress PHP security a challenge.

The question is: Is it very hard to overcome the vulnerability in the PHP programming language? Well, let’s see.

How can PHP code vulnerability harm your WordPress site?

The PHP injection exploitation technique allows the cybercriminals to use low-risk considered functions against Phar archives. This is to trigger severe deserialization vulnerabilities in your PHP coding. Also, in most scenarios, the hackers won’t require the use of unserialize() function; it’s then easy for them to enter your website.

Serialization is to convert data into a plain string; unserialize functions recreate the object back into PHP values.

PHP Phar files store metadata in the archive, serialized format. The attackers exploit PHP vulnerability by using the file operation functions like “fopen, file_exists_call” to trigger the bug and unserialize the file.

All they need to do is:

  • Upload a malicious object (image) in Phar archive

PHP code execution attack on WordPress

  • Execute arbitrary PHP code via “phar://” stream wrapper

PHP code execution attack on WordPress

  • Successfully accomplish the PHP code execution attack on WordPress sites

According to Sam, “The way certain thumbnail functionalities within the WordPress application work, they provide hackers the privileges to upload/modify media items to gain full control of the parameter used in a “file_exists” call. It then causes unserialization to occur”.

Thus, the simplest way to accomplish this malicious activity is to use a JPEG image (that was originally a Phar archive).

Look at Low-Risk Functions

Beware, WordPress owners! You can be the next victim of the PHP code execution attack on WordPress.

Take note of every minor change or activity that happens in your PHP programming files. This is because you unknowingly might provide the attackers full control of your website. How? By ignoring the changes (deserialization) in low-risk considered functions.

“I’ve highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk,” said the researcher at the BSides Conference.

The core vulnerability lies within wp_get_attachment_thumb_file function. This function is found in /wpincludes/post.php file.

P.S. Apart from weakening WordPress websites, this code vulnerability also targets Typo3 CMS (versions 7.6.30, 8.7.17 and 9.3). However, as most of the websites are based on WordPress CMS, the risk percentage is also higher in WordPress sites.

Final Words

Your website security should be your prime consideration. If ignored, even the simple PHP code vulnerabilities can lead to more critical Remote code execution attacks. Thus, it’s advisable to secure your WordPress site in every possible manner. Explore the best WordPress security practices of all times to secure your WordPress site.

As far as PHP code injection attack is considered, WordPress has already been notified about the issue. We’ll update as soon as WordPress comes up with a solution.

Comment below if you know more PHP vulnerabilities or other flaws and loopholes that can make a website attackers’ easy target.