_ _ / | _| |_ _ _____ ___ ___ ___ ___ ___ _ / / | . | | | | . | _| . | _| -_| |_|_/ |___|___|_|_|_| _|___|___|_| |___| |_| 2019-05-07 Insecure Deserialization in WordPress plugin carts-guru v1.4.5 ============================================================== CVE-2019-12241 The plugin in question[1] passes attacker controllable data to the unserialize() function, resulting in insecure deserialization. No authentication required. There might very well be more instances of insecure deserialization, but I stopped looking after I found the one mentioned here. For more about insecure deserialization, check references below[2]. # Details The plugin in question registers hooks that are triggered by the woocommerce plugin[3]. The hook takes the value of an attacker-controllable cookie, and passes it to the unserialize() function on line 98. classes/wc-cartsguru-event-handler.php: 25 public function register_hooks() 26 { .. 31 add_action('woocommerce_order_status_changed', array($this, 'handle_order_status_changed')); .. 38 } .. 93 private function handle_order($orderId) 94 { 95 $order = WC_Cartsguru_Data_Adaptor::instance()-> adapt_order($orderId); 96 // Check source cookie 97 if (isset($_COOKIE['cartsguru-source'])) { 98 $order['source'] = unserialize( $_COOKIE['cartsguru-source']); .. 103 } .. 155 public function handle_order_status_changed($orderId) 156 { 157 WC_Cartsguru_Utils::instance()-> log('handle_order_status_changed ' . $orderId); 158 $this->handle_order($orderId); 159 } # Timeline 2019-05-07 Public disclosure 2019-05-07 CVE-ID requested 2019-05-20 CVE-2019-12241 assigned # References 1: https://wordpress.org/plugins/carts-guru/ 2: https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization 3: https://wordpress.org/plugins/woocommerce/