Visitor Logic Lite WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Visitor Logic Lite plugin for WordPress, affecting all versions through 1.0.3. The issue arises from the 'lp_track()' function, which deserializes untrusted data from the 'lpblocks' cookie without proper sanitization. This flaw allows unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known payload chain, such a chain could potentially be exploited if an additional plugin or theme on the target site facilitates it, possibly leading to arbitrary file deletion, sensitive data exposure, or unauthorized code execution on the WordPress site.

Impact

Exploitation of this vulnerability could result in PHP Object Injection, allowing attackers to manipulate objects in a way that could lead to code execution, file deletion, or data exposure, depending on the presence of a suitable payload chain through other plugins or themes.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the Visitor Logic Lite plugin installed, including an 'lpblocks' cookie that contains unsanitized data. The 'lp_track()' function will deserialize the cookie data, allowing for PHP Object Injection.

Remediation

No patch is currently available. It is recommended to uninstall the affected plugin and find a replacement.