WordPress Ultimate Reviews plugin fixed insecure deserialization vulnerability.

The WordPress Ultimate Reviews plugin (2,000+ active installations) fixed an insecure deserialization vulnerability affecting version 2.1.32 and below that could lead to unauthenticated PHP object injection.

Insecure Deserialization

There are three occurrences in the plugin where an unauthenticated user could inject a serialized PHP object in a cookie, which could potentially lead to a PHP object injection vulnerability:

1. In the “Functions/Process_Ajax.php” script, the EWD_URP_Karma_IDs cookie L71 in the EWD_URP_Update_Karama AJAX action, which can be exploited by any user, authenticated or not:

function EWD_URP_Update_Karama() {
   
   $Review_ID = intval( $_POST['ReviewID'] );
   $Direction = sanitize_text_field( $_POST['Direction'] );
   
   $Karma = get_post_meta( $Review_ID, 'EWD_URP_Review_Karma', true );
   
   if ($Direction == 'down') {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma - 1 );}
   else {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma + 1 );}
   
   $EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));
   $EWD_URP_Karma_IDs[] = $Review_ID;
   
   setcookie('EWD_URP_Karma_IDs', serialize($EWD_URP_Karma_IDs), time()+3600*24*365, '/');
}
add_action('wp_ajax_urp_update_karma', 'EWD_URP_Update_Karama');
add_action('wp_ajax_nopriv_urp_update_karma', 'EWD_URP_Update_Karama');

2. In the “Functions/EWD_URP_Submit_Review.php” script, the EWD_URP_Reviewed_Products cookie L92, when an unauthenticated user submits a review:

if ($One_Review_Per_Product_Person == "Yes") {
   $Reviewed_Products = (isset($_COOKIE['EWD_URP_Reviewed_Products']) ? unserialize(stripslashes($_COOKIE['EWD_URP_Reviewed_Products'])) : array());

3. In the “Shortcodes/SelectReview.php” script, the EWD_URP_Karma_IDs cookie L127, when an unauthenticated user visits a page or a post:

if(isset($_COOKIE['EWD_URP_Karma_IDs'])) {$EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));}
else {$EWD_URP_Karma_IDs = array();}

Timeline

The vulnerabilities were reported to the WordPress Plugin Team on October 28th 2020, and a new version 2.1.33 was released on October 29th.

Recommendations

Upgrade immediately to the latest version of the plugin. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability. Additionally, NinjaFirewall has an option to block serialized PHP objects, which I recommend to enable:

It can be found in the “Firewall Policies > Advanced Policies” section.

Stay informed about the latest vulnerabilities