Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WordPress plugin 'Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms', affecting all versions through 1.1.1. The vulnerability arises from the deserialization of untrusted input in the 'verify_field_val()' function, allowing unauthenticated attackers to inject PHP objects. When used in conjunction with a property of the Contact Form 7 plugin, this could lead to the deletion of arbitrary files, causing a denial-of-service condition or, if the wp-config.php file is removed, potentially allowing remote code execution.

Impact

Exploitation of this vulnerability allows for unauthenticated PHP Object Injection, which can be leveraged to execute arbitrary code or delete files, depending on the injected object and the context in which it is used.

Reproduction

The vulnerability can be reproduced by sending a request to a WordPress site with the vulnerable plugin active, including a crafted payload that exploits the deserialization process in the 'verify_field_val()' function. This can be done by manipulating form data to include objects that, when deserialized, lead to the injection of PHP objects into the application.

Remediation

Users are advised to update the plugin to version 1.1.2 or later.