UpdraftPlus WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the UpdraftPlus: WP Backup & Migration Plugin for WordPress, affecting versions 1.23.8 prior to 1.24.11. The vulnerability arises from the deserialization of untrusted input in the 'recursive_unserialized_replace' function, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known Payload Execution Chain (POP chain), the vulnerability could be exploited if another plugin or theme with a POP chain is installed on the same site. In such cases, the attacker might be able to delete arbitrary files, access sensitive data, or execute code, depending on the specific POP chain available. To trigger the exploit, an administrator must perform a search and replace action.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, allowing for the injection of PHP objects that could be manipulated if a suitable Payload Execution Chain is present.

Reproduction

The vulnerability can be reproduced by deserializing untrusted data in the 'recursive_unserialized_replace' function of the UpdraftPlus WordPress plugin, versions 1.23.8 through 1.24.11. This can be done by an unauthenticated attacker if another plugin or theme containing a POP chain is installed on the site.

Remediation

Users are advised to update the UpdraftPlus WordPress Backup & Migration Plugin to version 1.24.12 or later.