A critical vulnerability has been discovered and patched in the Better Search Replace plugin for WordPress which has over 1 million active website installations.
Successful attacks can result in arbitrary file deletion, sensitive data retrieval, and code execution.
The severity level of the vulnerability
The severity of vulnerabilities is scored on a scoring system with ratings described as ranging from low to critical:
- Low 0.1-3.9
- Average 4.0-6.9
- High 7.0-8.9
- Critical 9.0-10.0
The severity of the vulnerability discovered in the Better Search Replace plugin is rated as Severe, the highest level, with a score of 9.8 on a severity scale of 1 to 10.
Better Search replaces WordPress plugin
The plugin was developed by WP Engine but was originally created by developer Delicious Brains which was acquired by WP Engine. Better Search Replace is one of the popular WordPress tools that simplifies and automates the process of running a search and replace task on a WordPress site database, which is useful in a site or server migration task. The plugin comes in a free and paid Pro version.
The plugin’s website lists the following features for the free version:
- “Serialization support for all tables
- Ability to choose specific schedules
- Ability to run a “demo trial” to see how many fields will be updated
- There are no server requirements except for a running installation of WordPress
- WordPress Multisite Support”
The paid Pro version has additional features such as the ability to track what has been changed, the ability to backup and import the database while the plugin is running, and extended support.
The plugin’s popularity is due to its ease of use, usefulness, and history of being a trustworthy plugin.
PHP object injection vulnerability
[box type=”note” align=”” class=”” width=””]A PHP Object Injection vulnerability occurs, in the context of WordPress, when user-supplied input is unsafely deserialized. Deserialization is a process in which string representations of objects are converted back into PHP objects.[/box]
The non-profit Open Worldwide Application Security Project (OWASP) provides a general description of the PHP Object Injection vulnerability :
“PHP Object Injection is an application-level vulnerability that can allow an attacker to perform various types of malicious attacks, such as code injection, SQL injection, path traversal and denial of service to the application, depending on the context.
The vulnerability occurs when user-supplied input is not properly cleaned before being passed to the PHP unserialize() function. Because PHP allows object serialization, attackers can pass custom serialized strings to a vulnerable unserialize() call, resulting in arbitrary PHP object(s) being injected into the application scope.
In order to successfully exploit the PHP Object Injection vulnerability, two conditions must be met:
- The application must have a class that implements a magic PHP method (such as __wakeup or __destruct) that can be used to perform malicious attacks, or to start a “POP chain”.
- All classes used during the attack must be declared when calling vulnerable unserialize(), otherwise automatic loading of objects for these classes must be supported.
If an attacker can upload (inject) input to include a serialized object of their choice, they could potentially execute arbitrary code or compromise the website’s security. As mentioned earlier, this type of vulnerabilities usually arise due to insufficient user input optimization. Sanitization is a standard process of checking input data so that only expected input types are allowed and unsafe inputs are rejected and blocked.
In the case of the Better Search Replace plugin, the vulnerability was exposed in the way it handled deserialization during search and replace operations. One important security feature missing in this scenario was the POP chain – a series of related classes and functions that an attacker can use to run malicious actions when the object is out of serialization.
While the Better Search Replace plugin did not contain such a string, the risk remains that if another plugin or theme installed on the same website contained a POP string it could allow an attacker to launch attacks.
Wordfence describes the vulnerability :
“The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 1.4.4 via deserialization of untrusted input.
This makes it possible for unauthenticated attackers to inject a PHP object.
There is no POP chain in the vulnerable plugin. If the POP chain exists via a plugin or additional theme installed on the targeted system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
In response to this discovery, WP Engine immediately addressed the issue. The changelog entry for the update to version 1.4.5, released on January 18, 2024, highlights the actions taken:
“Security: Deserializing an object during find and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database.”
This update came after Wordfence disclosed the vulnerability on December 18, 2023, which was followed by WP Engine development and testing of the fix.
