A WordPress anti-spam plugin with over 60,000 installations has patched a PHP Object injection vulnerability caused by improper sanitization of inputs, which allowed base64 encoded user input.
## Unauthenticated PHP Object Injection
A vulnerability was found in the widely-used Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin.
The purpose of this plugin is to prevent spam in comments, forms, and sign-up registrations. It can block spam bots and allows users to input IP addresses to block.
It is a standard practice for any WordPress plugin or form that accepts user inputs to only allow specific inputs, such as text, images, email addresses, or whatever input is expected.
Unexpected inputs should be filtered out, a process known as sanitization.
For example, a contact form should have a function that inspects the submitted content and blocks (sanitizes) anything that is not text.
The vulnerability discovered in the anti-spam plugin allowed encoded input (base64 encoded), which can trigger a PHP Object injection vulnerability.
The description of the vulnerability on the WPScan website explains:
> “The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as a second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain…”
The classification of this vulnerability is Insecure Deserialization.
The non-profit Open Web Application Security Project (OWASP) describes the potential impact of these vulnerabilities as serious, though this may vary for specific cases.
OWASP states:
> “The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data.”
Nonetheless, OWASP also notes that exploiting this kind of vulnerability tends to be difficult:
> “Exploitation of deserialization is somewhat difficult, as off-the-shelf exploits rarely work without changes or tweaks to the underlying exploit code.”
The vulnerability in the Stop Spammers Security WordPress plugin was fixed in version 2022.6.
The official Stop Spammers Security changelog describes the fix as an enhancement for security.
Users of the Stop Spammers Security plugin should consider updating to the latest version to prevent a potential hacker from exploiting the plugin.
### CVE-2022-4120 Detail
### Stop Spammers Security < 2022.6 – Unauthenticated PHP Object Injection Featured image by Shutterstock/Luis Molinero
