Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Contact to report security vulnerabilities #128
During our monitoring of changes made to WordPress plugins we found a PHP object injection vulnerability and a related cross-site request forgery (CSRF) vulnerability in the plugin.
In the file /admin/includes/admin-import.php the function import_events() passes the value of the POST input "reviewed_events" through the unserialize() function:
An attacker can abuse that to cause PHP object injection to occur, https://www.owasp.org/index.php/PHP_Object_Injection
Using JSON encoding and decoding is one alternative method to accomplish the same thing while avoiding this type of vulnerability.
When doing an import in the plugin there is no protection against cross-site request forgery (CSRF). You can find information on preventing cross-site request forgery (CSRF) in WordPress plugins at http://codex.wordpress.org/WordPress_Nonces.