WordPress Geo Controller < 8.6.5 - PHP Object Injection

Vulnerability

The Geo Controller WordPress plugin versions before 8.6.5 unserialize user input in certain AJAX actions and REST API routes. This occurs without proper validation or sanitization, making the plugin susceptible to PHP Object Injection when a suitable gadget (a class with magic methods like __destruct or __wakeup) is available in the server environment [1]. The vulnerability affects all sites using the plugin prior to the fixed release.

Exploitation

An unauthenticated attacker can trigger the vulnerability by sending a crafted serialized payload to one of the affected endpoints. The plugin automatically unserializes the attacker-supplied input, enabling the gadget chain to execute arbitrary code or perform other malicious actions. No user interaction or special privileges are required [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution or gain complete control over the WordPress site, depending on the available gadget chain. This can lead to data theft, site defacement, or further compromise of the server. The impact is critical due to the high potential for privilege escalation and remote code execution [1].

Mitigation

The vulnerability is fixed in version 8.6.5 of the Geo Controller plugin, released on 2024-04-10 according to the advisory [1]. Users must update to this version or later immediately. No workarounds are provided; disabling the plugin temporarily is the only alternative if an update cannot be applied.