iControlWP WordPress Site Manager PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the iControlWP – Multiple WordPress Site Manager plugin, affecting all versions through 4.4.5. The vulnerability arises from the deserialization of untrusted input in the reqpars parameter, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known property-oriented programming (POP) chain, the impact could be significant if another plugin or theme with a POP chain is installed, potentially enabling actions such as deleting files, accessing sensitive information, or executing code, depending on the specific POP chain available.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, allowing for the injection of malicious PHP objects. If a property-oriented programming (POP) chain is present through an additional plugin or theme, it could enable an attacker to perform actions such as deleting files, accessing sensitive data, or executing arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the reqpars parameter containing a serialized PHP object. This can be done using a tool like Burp Suite or by crafting a custom script that sends the appropriate request. The injected object can then be accessed through the WordPress API, depending on the object's properties and the presence of a POP chain.

Remediation

Users are advised to update the iControlWP – Multiple WordPress Site Manager plugin to version 4.5.0 or later.