_ _
/ | _| |_ _ _____ ___ ___ ___ ___ ___
_ / / | . | | | | . | _| . | _| -_|
|_|_/ |___|___|_|_|_| _|___|___|_| |___|
|_|
2019-05-07
Insecure Deserialization in WordPress plugin carts-guru v1.4.5
==============================================================
CVE-2019-12241
The plugin in question[1] passes attacker controllable data to the
unserialize() function, resulting in insecure deserialization.
No authentication required. There might very well be more instances of
insecure deserialization, but I stopped looking after I found the one
mentioned here.
For more about insecure deserialization, check references below[2].
# Details
The plugin in question registers hooks that are triggered by the
woocommerce plugin[3]. The hook takes the value of an
attacker-controllable cookie, and passes it to the unserialize() function
on line 98.
classes/wc-cartsguru-event-handler.php:
25 public function register_hooks()
26 {
..
31 add_action('woocommerce_order_status_changed', array($this,
'handle_order_status_changed'));
..
38 }
..
93 private function handle_order($orderId)
94 {
95 $order = WC_Cartsguru_Data_Adaptor::instance()->
adapt_order($orderId);
96 // Check source cookie
97 if (isset($_COOKIE['cartsguru-source'])) {
98 $order['source'] = unserialize(
$_COOKIE['cartsguru-source']);
..
103 }
..
155 public function handle_order_status_changed($orderId)
156 {
157 WC_Cartsguru_Utils::instance()->
log('handle_order_status_changed ' . $orderId);
158 $this->handle_order($orderId);
159 }
# Timeline
2019-05-07 Public disclosure
2019-05-07 CVE-ID requested
2019-05-20 CVE-2019-12241 assigned
# References
1:
wordpress.org/plugins/carts-guru2:
owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization3:
wordpress.org/plugins/woocommerce