WordPress Playroom theme <= 1.4.1 - PHP Object Injection vulnerability

Vulnerability

The Playroom WordPress theme versions 1.4.1 and earlier are vulnerable to an unauthenticated PHP Object Injection vulnerability. This occurs when user-supplied input is deserialized without proper validation, allowing an attacker to inject arbitrary PHP objects. The vulnerability does not require authentication, making it accessible to any remote attacker [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted serialized PHP object to the affected theme. No authentication is required. The attack can be performed remotely over HTTP. Successful exploitation requires the presence of a suitable POP (Property Oriented Programming) chain within the WordPress installation or its plugins/themes [1].

Impact

If a proper POP chain is available, an attacker can achieve arbitrary code execution, SQL injection, path traversal, or denial of service. The impact is severe, as it can lead to full site compromise, data theft, and further attacks on the server. The vulnerability is rated with a CVSS score of 8.1, indicating high severity [1].

Mitigation

The vulnerability is fixed in Playroom version 1.5 and later. Users are strongly advised to update immediately. If unable to update, consider using a web application firewall or a security plugin that provides virtual patching, such as Patchstack's mitigation rule. The vulnerability is expected to be exploited in mass campaigns, so prompt action is critical [1].