WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability

Vulnerability

An unauthenticated PHP Object Injection vulnerability exists in the Micdrop WordPress theme versions 1.3.1 and earlier. The flaw allows an attacker to inject arbitrary serialized PHP objects into the application, which can lead to code execution if a suitable POP (Property Oriented Programming) chain is present in the theme or any active plugin. No authentication is required to trigger the vulnerability.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious serialized PHP objects to a vulnerable endpoint of the Micdrop theme. No prior authentication or special network position is needed; the attack can be performed remotely. The success of exploitation depends on the availability of a POP chain within the WordPress installation, which can be leveraged to execute arbitrary code or perform other malicious actions.

Impact

Successful exploitation can result in arbitrary code execution, SQL injection, path traversal, denial of service, and other severe outcomes, depending on the POP chain available. Since the vulnerability is unauthenticated, an attacker can achieve full compromise of the affected WordPress site, including data theft, site defacement, or use in mass-exploit campaigns.

Mitigation

The vulnerability is fixed in version 1.4 of the Micdrop theme. Users are strongly advised to update to 1.4 or later immediately. If updating is not possible, Patchstack has released a mitigation rule to block attacks until the update is applied [1]. No other workarounds have been disclosed.