_      _
    / |   _| |_ _ _____ ___ ___ ___ ___ ___
 _ / /   | . | | |     | . |  _| . |  _| -_|
|_|_/    |___|___|_|_|_|  _|___|___|_| |___|
                       |_|

2019-05-07

Insecure Deserialization in WordPress plugin carts-guru v1.4.5
==============================================================

CVE-2019-12241

The plugin in question[1] passes attacker controllable data to the
unserialize() function, resulting in insecure deserialization.
No authentication required. There might very well be more instances of
insecure deserialization, but I stopped looking after I found the one
mentioned here.

For more about insecure deserialization, check references below[2].


# Details

The plugin in question registers hooks that are triggered by the
woocommerce plugin[3]. The hook takes the value of an
attacker-controllable cookie, and passes it to the unserialize() function
on line 98.

classes/wc-cartsguru-event-handler.php:


   25     public function register_hooks()
   26     {
   ..
   31         add_action('woocommerce_order_status_changed', array($this,
      'handle_order_status_changed'));
   ..
   38     }
   ..
   93     private function handle_order($orderId)
   94     {
   95         $order = WC_Cartsguru_Data_Adaptor::instance()->
      adapt_order($orderId);
   96         // Check source cookie
   97         if (isset($_COOKIE['cartsguru-source'])) {
   98             $order['source'] = unserialize(
      $_COOKIE['cartsguru-source']);
   ..
  103     }
   ..
  155     public function handle_order_status_changed($orderId)
  156     {
  157         WC_Cartsguru_Utils::instance()->
      log('handle_order_status_changed ' . $orderId);
  158         $this->handle_order($orderId);
  159     }


# Timeline

2019-05-07 Public disclosure
2019-05-07 CVE-ID requested
2019-05-20 CVE-2019-12241 assigned


# References

1: wordpress.org/plugins/carts-guru
2: owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
3: wordpress.org/plugins/woocommerce