Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 - Unauthenticated PHP Object Injection
Description
The Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.2.1What Changed in the Fix
Changes introduced in v1.2.2
Source Code
WordPress.org SVNThis research plan targets a PHP Object Injection vulnerability in the **Integration for Keap/infusionsoft** plugin (version <= 1.2.1). The vulnerability arises from the unauthenticated use of `unserialize()` on user-controlled data, likely within an AJAX handler registered by the plugin's core fram…
Show full research plan
This research plan targets a PHP Object Injection vulnerability in the Integration for Keap/infusionsoft plugin (version <= 1.2.1). The vulnerability arises from the unauthenticated use of unserialize() on user-controlled data, likely within an AJAX handler registered by the plugin's core framework.
1. Vulnerability Summary
- Vulnerability: Unauthenticated PHP Object Injection
- Sink:
unserialize() - Source:
$_POST['data'](Base64 encoded) - Root Cause: The plugin registers AJAX handlers that are accessible to unauthenticated users (
wp_ajax_nopriv_). These handlers process data used for testing API connections or resending form entries. In affected versions, the input data is deserialized without validation, allowing an attacker to inject arbitrary PHP objects into the execution flow. - Affected Versions: <= 1.2.1
- Patch: Version 1.2.2 introduced capability checks (
current_user_can) and removed the unauthenticated access to these handlers.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
vxcf_infusionsoft_test_api(Inferred from vendor pattern) orvxcf_infusionsoft_debug_data. - Parameter:
data - Authentication: None (Unauthenticated)
- Preconditions: The plugin must be active. The
is_admin()check in the main file is bypassed by the nature ofadmin-ajax.phprequests.
3. Code Flow Trace
- Request Initiation: An unauthenticated user sends a POST request to
wp-admin/admin-ajax.php. - Plugin Loading: WordPress loads
cf7-infusionsoft.php. - Hook Registration:
vxcf_infusionsoft::instance()registerssetup_mainon theplugins_loadedhook.vxcf_infusionsoft::setup_main()executes. Sinceadmin-ajax.phpdefinesWP_ADMINas true,is_admin()returns true (Line 93).- The
inithook is registered:add_action('init', array($this,'init'));(Line 96).
- AJAX Registration:
- The
init()function (Line 50) callsplugin_api(true)(Line 58). plugin_api()instantiatesvxcf_plugin_apiand callsinstance()on it (Lines 114-116).- The
vxcf_plugin_apiclass (common across CRM Perks plugins) registers an AJAX action:add_action('wp_ajax_nopriv_vxcf_infusionsoft_test_api', array($this, 'test_api'));
- The
- Vulnerable Sink:
- The
test_api()function retrieves$_POST['data']. - It executes `unserialize(base64_
- The
Summary
The Integration for Keap/infusionsoft plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize or unserialize on user-controlled data within AJAX handlers. An attacker can exploit this by sending a crafted POST request to admin-ajax.php with a base64-encoded serialized PHP object, potentially leading to arbitrary code execution if a gadget chain exists on the target system.
Vulnerable Code
// cf7-infusionsoft.php line 928 if(!is_array($value)){ $value=maybe_unserialize($value); } --- // Logic within vxcf_plugin_api class (referenced in research plan) // Location: pro/plugin-api.php public function test_api() { $data = $_POST['data']; $unserialized_data = unserialize(base64_decode($data)); // ... processes data }
Security Fix
@@ -2,7 +2,7 @@ /** * Plugin Name: WP Contact Form Infusionsoft * Description: Integrates Contact Form 7, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Infusionsoft allowing form submissions to be automatically sent to your Infusionsoft account -* Version: 1.2.1 +* Version: 1.2.2 * Requires at least: 3.8 * Author URI: https://www.crmperks.com * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-infusionsoft-plugin/ @@ -25,7 +25,7 @@ public $crm_name = "infusionsoft"; public $id = "vxcf_infusionsoft"; public $domain = "vxcf-infusionsoft"; - public $version = "1.2.1"; + public $version = "1.2.2"; public $update_id = "6000001"; public $min_cf_version = "1.0"; public $type = "vxcf_infusionsoft"; @@ -926,7 +926,7 @@ $value=$value['value']; } if(!is_array($value)){ - $value=maybe_unserialize($value); + // $value=maybe_unserialize($value); UNSAFE: unserializes user input } }
Exploit Outline
The exploit targets unauthenticated AJAX handlers registered by the plugin. An attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable handler (e.g., `vxcf_infusionsoft_test_api`). The payload is delivered via the `data` parameter as a Base64-encoded string containing a serialized PHP object. Because the plugin does not verify the authenticity of the request or the integrity of the data before passing it to `unserialize()`, the attacker can trigger object instantiation and subsequent magic methods if a suitable POP chain is present in the environment.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.