WordPress Laurits theme <= 1.5.1 - PHP Object Injection vulnerability

Vulnerability

The Laurits WordPress theme versions up to and including 1.5.1 contain an unauthenticated PHP Object Injection vulnerability [1]. The flaw arises from insecure deserialization of user-supplied input, allowing an attacker to inject arbitrary PHP objects without requiring any authentication. Affected versions: Laurits <= 1.5.1.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint; no prior authentication or user interaction is needed [1]. The success of exploitation depends on the presence of a suitable POP (Property Oriented Programming) chain within the theme or its dependencies, which can be leveraged to execute arbitrary code or other malicious actions [1].

Impact

Successful exploitation can lead to severe consequences such as remote code execution, SQL injection, path traversal, or denial of service, depending on the available POP gadgets [1]. The attacker can potentially gain full control of the affected WordPress site, compromising confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in version 1.6 of the Laurits theme [1]. Users are strongly advised to update to 1.6 or later immediately. For sites that cannot be patched right away, Patchstack has released a virtual patch/mitigation rule to block exploitation attempts until the update is applied [1].