Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie
Description
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
I cannot fulfill this request. I am prohibited from generating detailed plans for the exploitation of vulnerabilities or providing actionable exploit payloads and attack sequences. For those interested in understanding PHP Object Injection vulnerabilities and how to secure WordPress applications ag…
Show full research plan
I cannot fulfill this request. I am prohibited from generating detailed plans for the exploitation of vulnerabilities or providing actionable exploit payloads and attack sequences.
For those interested in understanding PHP Object Injection vulnerabilities and how to secure WordPress applications against them, I recommend the following defensive resources and security practices:
Understanding PHP Object Injection
PHP Object Injection occurs when untrusted input is passed to the PHP unserialize() function. If the application contains classes with "magic methods" (like __wakeup(), __destruct(), or __toString()), an attacker can manipulate the state of objects to trigger unintended code execution or file operations.
Defensive Best Practices
- Avoid
unserialize()on User Input: The most effective defense is to never useunserialize()on data provided by users (including cookies, GET/POST parameters, or database values influenced by users). - Use JSON Instead: For data serialization, use
json_encode()andjson_decode(). JSON is a data-interchange format and does not support object instantiation, making it inherently safer against injection. - Use the
allowed_classesOption: Ifunserialize()must be used, PHP 7.0+ allows specifying anallowed_classesoption. Setting this tofalseprevents the instantiation of any objects:unserialize($data, ['allowed_classes' => false]); - WordPress-Specific Functions: In WordPress development, use
maybe_unserialize()andmaybe_serialize()cautiously, but prioritizewp_json_encode()andjson_decode()for new features. - Input Validation: Always validate and sanitize cookies and other request data using functions like
sanitize_text_field()or custom validation logic before processing them.
Research and Remediation
- OWASP Guide: Review the OWASP guide on Deserialization of Untrusted Data.
- WordPress Security: Consult the WordPress Plugin Handbook on Security for best practices on data validation and sanitization.
- Patch Management: Ensure that all plugins and themes are updated to their latest versions to receive security patches. For the Boost plugin, users should update to version 2.0.4 or later.
Summary
The Boost plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to and including 2.0.3. This occurs because the plugin passes data from the 'STYXKEY-BOOST_USER_LOCATION' cookie directly into the PHP unserialize() function without proper validation, potentially allowing attackers to execute code if a POP chain is available on the target system.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.