WordPress Friends Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Friends plugin for WordPress, specifically in version 3.5.1. This vulnerability arises from the deserialization of untrusted input in the query_vars parameter, allowing authenticated attackers with subscriber-level access or higher to inject a PHP object. While the vulnerable version does not have a known object injection chain, the vulnerability could be exploited if another plugin or theme with a suitable chain is installed. In such cases, it might enable the attacker to delete arbitrary files, access sensitive data, or execute code, depending on the nature of the injected object and the available injection chain.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with potential consequences depending on the presence of a suitable object injection chain in an installed plugin or theme.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request that includes the query_vars parameter with serialized data. The Friends plugin will unserialize this data, allowing for the injection of a PHP object.

Remediation

Users are advised to update the Friends plugin to version 3.5.2 or a newer patched version.