GDPR CCPA Compliance Support plugin fixed insecure deserialization vulnerability.

The WordPress GDPR CCPA Compliance Support plugin (1,000+ active installations) fixed an insecure deserialization vulnerability affecting version 2.1 and below that could lead to unauthenticated PHP object injection.

Insecure Deserialization

In the njt_gdpr_get_permission function of the “src/functions.php” script, the base64-encoded njt_gdpr_allow_permissions is passed to the maybe_unserialize function:

function njt_gdpr_get_permission()
{
   $arr = array('cookie' => '0', 'fb' => '0', 'gg' => '0');
   $current_user_id = get_current_user_id();
    
   if ($current_user_id == 0) {
      if (isset($_COOKIE['njt_gdpr_allow_permissions'])) {
         $cookie = maybe_unserialize(base64_decode($_COOKIE['njt_gdpr_allow_permissions']));

In the “src/init.php” script, the same cookie is again passed to the maybe_unserialize function in the “userClickedBtn” and “canUseCookie” methods:

public function userClickedBtn()
{
   $current_user_id = get_current_user_id();
   if ($current_user_id == 0) {//guest
      if(isset($_COOKIE['njt_gdpr_allow_permissions'])){
         $cookie = maybe_unserialize(base64_decode($_COOKIE['njt_gdpr_allow_permissions']));
         return isset($cookie['cookie']);
         //return (isset($cookie['cookie']) && $cookie['cookie'] == '1') || (isset($cookie['fb']) && $cookie['fb'] == '1') || (isset($cookie['gg']) && $cookie['gg'] == '1');
      }
      return false;
   } else {
      $arr = get_user_meta($current_user_id, 'njt_gdpr_allow_permissions', true);
      return is_array($arr);
   }
}
public function canUseCookie()
{
   if ($this->userClickedBtn()) {
      $current_user_id = get_current_user_id();
      if ($current_user_id == 0) {//guest
         if(isset($_COOKIE['njt_gdpr_allow_permissions'])) {
            $cookie = maybe_unserialize(base64_decode($_COOKIE['njt_gdpr_allow_permissions']));
            return (isset($cookie['cookie']) && ($cookie['cookie'] == '1'));
         }

In all three cases, an unauthenticated user could inject a serialized PHP object in the cookie, which could potentially lead to a PHP object injection vulnerability.

Timeline

The vulnerabilities were reported to the WordPress Plugin Team on October 28th 2020, and a new version 2.2 was released on October 29th.

Recommendations

Upgrade immediately if you have version 2.1 or below. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability. Additionally, NinjaFirewall has an option to block serialized PHP objects, which I recommend to enable:

It can be found in the “Firewall Policies > Advanced Policies” section.


Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet