WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability

Vulnerability

A PHP Object Injection vulnerability exists in the Fusion Builder plugin for WordPress, affecting versions up to and including 3.15.4. The flaw allows a contributor-level user or higher to inject arbitrary PHP objects due to improper handling of user-supplied input in the plugin's code [1].

Exploitation

An attacker must have contributor-level access or higher to the WordPress site. By crafting a malicious payload that triggers object deserialization, the attacker can inject arbitrary PHP objects. The exploitation does not require any additional user interaction beyond the attacker's own actions [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other severe outcomes, depending on the presence of a suitable POP chain. This can result in full compromise of the affected WordPress site [1].

Mitigation

The vulnerability is fixed in Fusion Builder version 3.15.5. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks. Automatic updates can be enabled for vulnerable plugins [1].