WordPress Importer PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WordPress Importer plugin, affecting all versions through 0.8.3. The issue arises from the deserialization of untrusted input in the 'maybe_unserialize' function. This vulnerability allows authenticated attackers with Administrator-level access to inject a PHP object. However, no known Property-Oriented Programming (POP) chain exists within the vulnerable software itself. The vulnerability could be exploited if an additional plugin or theme containing a POP chain is installed on the same site, potentially allowing the attacker to delete arbitrary files, access sensitive data, or execute code, depending on the nature of the POP chain.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with potential consequences depending on the presence of an additional plugin or theme that allows for exploitation of the injected object.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can upload a WXR file containing serialized data that exploits the deserialization vulnerability in the WordPress Importer plugin version 0.8.3 or earlier.

Remediation

Users are advised to update the WordPress Importer plugin to version 0.8.4 or later, where this vulnerability has been patched.