Blocksy WordPress Theme PHP Object Injection Vulnerability Allowing Remote Code Execution

A vulnerability exists in the Blocksy theme for WordPress, specifically in versions through 2.1.35, allowing PHP object injection that could lead to remote code execution. This issue arises from inadequate input sanitization in the 'blocksy_post_meta_options' REST API field. The 'blocksy_sanitize_post_meta_options' function only filters out values containing '<' or '>', failing to prevent serialized PHP object strings from being saved in post metadata. During the V200 database migration, the 'SearchReplacer::run_recursively' function automatically deserializes all string values without class restrictions, enabling authenticated attackers with contributor-level access or higher to inject a serialized 'Blocksy\RaiiPattern' object into the post meta. When the V200 migration is executed on an updated site, this object is deserialized, and its destructor is triggered, executing arbitrary PHP functions via 'call_user_func'.

Impact

Exploitation of this vulnerability allows for authenticated users with contributor-level access and above to inject serialized objects that, when deserialized, can execute arbitrary PHP code, potentially leading to full site compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can inject a serialized 'Blocksy\RaiiPattern' object into the 'blocksy_post_meta_options' field of a WooCommerce product variation. This can be done by using the WordPress REST API to update the post meta with the serialized object. Once the object is injected, the V200 database migration must be run, which will deserialize the object and execute the injected PHP callable.

Remediation

Users are advised to update the Blocksy theme to version 2.1.42 or later, where this vulnerability has been patched.