WordPress Fidalgo theme <= 1.2.2 - PHP Object Injection vulnerability

Vulnerability

The Fidalgo WordPress theme versions up to and including 1.2.2 are vulnerable to unauthenticated PHP Object Injection. The flaw arises from insecure deserialization of user-supplied input, allowing an attacker to inject arbitrary serialized PHP objects without requiring authentication or any special configuration [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted serialized PHP object to a vulnerable endpoint over HTTP. No authentication, user interaction, or prior access is needed. The attack is remotely exploitable and is expected to be used in mass-exploit campaigns targeting thousands of sites [1].

Impact

Successful exploitation enables arbitrary PHP object injection. If a suitable POP (Property Oriented Programming) chain exists in the WordPress environment, this can lead to remote code execution, SQL injection, path traversal, denial of service, and other severe outcomes. The attacker gains full control over the affected website [1].

Mitigation

The vulnerability is fixed in Fidalgo version 1.3. Users should update immediately. If updating is not possible, Patchstack offers a mitigation rule to block attacks until the patch is applied. No other workarounds are documented. Given the expected mass exploitation, prompt action is critical [1].