Advisory: CVE-2020-29045 – Unauthenticated RCE via Arbitrary Object Deserialisation in Five Star Restaurant Menu – WordPress Ordering Plugin

It is possible to gain Unauthenticated Remote Code Execution (RCE) on any WordPress instance that is using this plugin, due to the unsafe use of unserialize for the parsing of unsanitised user input, via the cookie fdm_cart used within includes/class-cart-manager.php

It is possible to gain Unauthenticated Remote Code Execution (RCE) on any WordPress instance that is using this plugin, due to the unsafe use of unserialize for the parsing of unsanitised user input, via the cookie fdm_cart used within includes/class-cart-manager.php

CVE: CVE-2020-29045
Severity: HIGH
Vulnerability Type: CWE-502: Deserialization of Untrusted Data
Requires Authentication: No

 

Timeline

Discovered: 2020-11-17 – Nick Blundell, AppCheck Ltd
Contacted Vendor (with no response): 2020-11-17 and again on 2020-11-30
Reported directly to WordPress Security Team: 2021-01-06
Fixed: 2021-01-11 (in version 2.2.1)

 

Affected Software

Name: Five Star Restaurant Menu – WordPress Ordering Plugin
URL: https://wordpress.org/plugins/food-and-drink-menu/
Version: <= 2.2.0
Vendor: Fivestar Plugins (https://www.fivestarplugins.com/)
Google dork: inurl:”/wp-content/plugins/food-and-drink-menu/”

 

Affected Components

The following code deserialises the cookie value sent from the user, such that arbitrary code may be injected:

// File: includes/class-cart-manager.php

public function load_cart_from_cookie() {

        $fdm_cart_items = isset( $_COOKIE['fdm_cart'] ) ? unserialize( $_COOKIE['fdm_cart'] ) : array();
        // -->                                            ^^^^^^^^^^^
        if ( ! is_array( $fdm_cart_items ) ) { return; }

        foreach ( $fdm_cart_items as $fdm_cart_item ) {
            $this->cart_items[ $fdm_cart_item->item_identifier ] = $fdm_cart_item;
        }
    }

Exploitation Demo

Exploitation of PHP serialisation vulnerabilities involves leveraging a collection of gadget classes that are already present within the vulnerable application, such as third party libraries, in such a way that arbitrary code execution (or some other malicious action) is executed when that chain of gadget classes is deserialised.   See references below for more details on this class of vulnerability and its exploitation.

Exploit Demo Screencast

 

References

 

About AppCheck

AppCheck is a software security vendor based in the UK, that offers a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure.

As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: info@localhost

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch