Security News PHP Deserialization Issue Left Unfixed in WordPress CMS

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
WordPress CMS installations are vulnerable to a PHP bug related to data deserialization (also known as unserialization), a security researcher has revealed at the start of the month.
The bug has been reported to the WordPress team on February 28, 2017, but has remained unfixed to this day, more than a year and a half after the first report.

Vulnerability is in PHP, not WordPress per-se

The issue doesn't affect WordPress only —the Internet's most widespread CMS— but all PHP-based applications and libraries that handle user-supplied data.
The vulnerability is in the way PHP converts PHP objects (raw data) into strings and back into PHP objects again. This process is called serialization and deserialization, respectively, and is used in all programming languages to move data between different servers, services, or apps.
New PHP deserialization attack discovered

Speaking at two security conferences this month —Black Hat Las Vegas and BSides Manchester— Sam Thomas, a security researcher with Secarma Labs, has revealed a new way of using PHP's deserialization process to achieve code execution on servers and apps.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top