WP Mail Logging PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WP Mail Logging plugin for WordPress, affecting all versions through 1.15.0. The issue arises from the 'BaseModel' class constructor, which deserializes untrusted input from the email log message field without proper validation. This vulnerability allows unauthenticated attackers to inject a PHP object by sending a double-serialized payload through any public-facing form that transmits email, such as Contact Form 7. Once the email is logged and viewed by an administrator, the injected payload is deserialized into an arbitrary PHP object. While the vulnerable software does not have a known PHP Object Injection chain, the impact could be significant if another plugin or theme with a PHP Object Injection chain is installed, potentially allowing the attacker to delete files, access sensitive data, or execute code, depending on the specific chain available.

Impact

Exploitation of this vulnerability leads to PHP Object Injection, allowing for the injection of malicious PHP objects that could be exploited if a vulnerable PHP Object Injection chain is present on the site.

Reproduction

To reproduce this vulnerability, send an email through a public-facing form that uses the WP Mail Logging plugin, such as Contact Form 7. Include a double-serialized payload in the email log message field. Once the email is logged, an administrator can view it, triggering the deserialization of the malicious payload into a PHP object.

Remediation

Users are advised to update the WP Mail Logging plugin to version 1.16 or later.