Twice a day the blog makes an automated unencrypted HTTP request to
premium.wpmudev.org and the value that is returned is passed to
unserialize(). It is possible for
premium.wpmudev.org or any one on the network in a man-in-the-middle position to return a string that contains an evil encoded object that executes arbitrary code (depending on the active plugins and themes).
This code is called twice a day by
wp_schedule_event(time(), 'twicedaily', 'wpmudev_scheduled_jobs') (extra/wpmudev-dash-notification.php):
var $server_url = 'http://premium.wpmudev.org/wdp-un.php'; // line 12 $url = $this->server_url . '?action=check&un-version=3.3.3&wp=' . urlencode($wp) . '&bcount=' . $blog_count . '&domain=' . urlencode(network_site_url()) . $projects; // line 393 $response = wp_remote_get($url, $options); // line 400 $data = $response['body']; // line 402 $data = unserialize($data); // line 404
There is a class called
ProcessLocker in this plugin with an exploitable
__destruct method, which could be used as a jumping-off point for attacks using this
unserialize() vulnerability (or the use of
unserialize() in WordPress core which requires access to the database to exploit).
Proof of concept
Achieving arbitrary code execution depends on which classes are available (i.e. which plugins and themes are installed and active). It won’t be possible in all situations.
Upgrade to version 18.104.22.168 or later.