Serialization flaw in wp-gdpr-compliance

Some days ago the people at Wordfence wrote about a wildly exploited vulnerability in wp-gdpr-compliance plugin. We have been monitoring this plugin for some months because we discovered a serialization bug around May and added it to our private vulnerability database at alertot.

Looking at the new version, they also fixed the aforementioned serialization bug exploitable through the parameter wpgdprc.

In the changelog, I think there was a line related to it:

Security fix: Removed base64_decode() function.

There’s no problem with base64_decode() function, but with unserialize() . At alertot, we’re used to misleading changelogs, that’s why we create our own changelogs from commits and version differences, to get more information and discover hidden fixed vulnerabilities to add to our vulnerability database.

Leaving the changelog issue, in this post I’m going to talk about the required scenario and the chances to exploit this vulnerability.

Required steps to exploit the serialization bug

First, you need to activate Request User Data page in the settings’ page of the plugin.

It’s not common to find it activated, then the likely to exploit this flaw was low. After that, you must put the shortcode [wpgdprc_access_request_form] in some page (in this case page_id=5 ). Then we can request this page and add the GET parameter wpgdprc to reach the unserialization part. As added requirement, the value of this parameter must be base64-encoded and then URL-encoded.

To test the serialization flaw, we will try to unserialize a PDO object since this kind of object is not serializable and will raise a notorious fatal error, enough to prove that we reach the serialization logic. Our final request is:

http://wordpress.test/?page_id=5&wpgdprc=TzozOiJQRE8iOjA6e30%3D

Sending this to our test server, we receive the following response:

In a setup with only Wordpress and this plugin installed, this vulnerability doesn’t seem exploitable. However, the presence of other plugins could make it. For instance, if the website has bothwp-gdpr-compliance and wp-statistics installed, the vulnerability would be exploitable because wp-statistics includes the library GuzzleHttp, which is known to have POI gadgets.

At ekoparty I gave a talk in depth about this subject, you can review the slides here. Our next post will be on Thursday about how we would patch the vulnerability discovered by Wordfence using virtual patching. Stay tuned!