WordPress Anti-Spam Plugin Vulnerability Affects Up To 60,000+ Sites
WordPress security flaws discovered in popular anti-spam plugins that are used on over 60,000 websites
A WordPress anti-spam plugin with more than 600,00 installations has patched an Object injection vulnerability in PHP, which was caused by insufficient sanitization for inputs, eventually allowing encoded base64 information from users.
Unauthenticated PHP object injection
A security flaw was found in the widely used Stop Spammers Security | Block Spam Comments, Users, and forms WordPress plugin.
The goal of this plugin is to block spamming in forms, comments, and registration forms. It will stop spambots and also allows users to enter the IP address to prevent.
It’s a standard practice in all WordPress applications or web forms that takes the user’s input to allow only specific inputs like images, text email addresses, etc., no matter what inputs are expected.
Unexpected inputs need to be removed. The process of filtering out inputs that are not required is known as sanitation.
For instance, the contact form must include a feature that will examine the content of the structure and block (sanitize) any information that is not written.
The flaw discovered in the anti-spam software allowed input encoded (base64 encoded) that could cause a vulnerability known as a PHP object injection vulnerability.
A description of this vulnerability posted by WPScan’s website describes the vulnerability as WPScan site describes the vulnerability as follows:
“The plugin sends encrypted user inputs in base64 format into an unserialize() PHP function when CAPTCHA is used as a second-level challenge. This could cause PHP object injection if the plugin is installed on the blog and includes a compatible gadget chain …”
The vulnerability’s classification is insecure Deserialization.
A non-profit organization called the Open Web Application Security Project (OWASP) discusses the possible effects of these vulnerabilities as being severe. However, it could be the case in the specific point of this vulnerability.
Its description on OWASP:
“The consequences of the deserialization flaws are too great to ignore. These vulnerabilities can result in remote attacks on code execution, which is one of the most dangerous attacks possible. The business impact is contingent on the security needs of the software and the data.”
However, OWASP cautions that exploiting this vulnerability is often challenging:
“Exploitation of deserialization is challenging since commercial exploits don’t always perform without modifications or tweaks to the exploit code.”
The security flaw of Stop Spammers Security’s WordPress plugin was fixed. Stop Spammers Security WordPress plugin was addressed in version 2022.6
Official Stop-Spammers Security Changelog (an explanation with dates for the other updates) mentions the fix as an improvement in security.
The users who use the Stop Spam Security plugin should look into updating to the latest version to stop hackers from gaining access to the plugin.