WordPress Alloggio - Hotel Booking theme <= 2.1.2 - PHP Object Injection vulnerability

Vulnerability

The Alloggio – Hotel Booking theme for WordPress, up to version 2.1.2, contains an unauthenticated PHP Object Injection vulnerability. An attacker can inject arbitrary PHP objects into the application without requiring any authentication or user interaction. The vulnerability exists in the theme's code handling user-supplied input that is unserialized without proper validation. Affected versions: all versions up to and including 2.1.2 [1].

Exploitation

An unauthenticated attacker can trigger the PHP Object Injection by sending a crafted request containing a malicious serialized payload to the vulnerable endpoint. No special network position or authentication is required; the attack can be performed remotely over HTTP. If a suitable POP (Property Oriented Programming) chain exists in the WordPress core, plugins, or theme, the attacker can leverage it to execute arbitrary code or perform other malicious actions [1].

Impact

Successful exploitation can lead to severe consequences, including remote code execution, SQL injection, path traversal, denial of service, and more, depending on the available POP chain. The attacker can gain full control over the affected WordPress site, potentially compromising sensitive data, defacing content, or using the site as a pivot for further attacks [1].

Mitigation

The vulnerability is fixed in version 2.1.3 of the Alloggio theme. Users are strongly advised to update to version 2.1.3 or later immediately. If updating is not possible, a mitigation rule is available from Patchstack that can block attacks until the update is applied. The vulnerability is listed as highly likely to be exploited in mass campaigns [1].