Vulnerability found in WordPress anti-spam plugin

WordPress anti-spam plugin used by 60,000+ users had a PHP Object injection vulnerability. This vulnerability can allow base64 encoded user input, which is not good for any website. The issue arises from improper sanitization of inputs in the form of the plugin.

The WordPress plugin was an anti-spam plugin that allows websites to block spam from forms, comments, registration, and signups. However, the plugin was well-equipped to recognize spam bots and block them from the source IP address.

WordPress anti-spam plugin practices some special features of allowing only specific inputs. The users can also decide the input type, and the plugin will pass through that only that type of content. Examples of such specific inputs are images, text, email addresses, etc.

Sanitization is the process of selecting the right input from the crowd. If a function has the purpose of only excluding text as its input, the plugin will also sanitize everything except the text from the inputs.

The vulnerability found in WordPress anti-spam plugin allowed an encoded input (base64 encoded). The input then causes a vulnerability called a PHP Object injection vulnerability. The plugin passes encoded input to the unserialized PHP function. This could lead to infection and harm the users of the plugin.

Open Web Application Security Project (OWASP) describes the impact of the vulnerability as ‘overstating.’ They also said that the flaw in the plugin could lead to remote code execution attacks. This kind of attack is the worst of its kind.

Adding to the statement, although it is very difficult to exploit this flaw. But the risks are much higher; the business depends on the security of their data.

The Vulnerability in WordPress anti-spam plugin is now fixed in version 2022.6. The officials announced that they fixed the problem and enhanced security in the latest update. Users must immediately switch to the upgraded version to save their data from hackers.