Vulnerability in WordPress Anti-Spam Plugin affects up to 60,000+ websites
2 mins read

Vulnerability in WordPress Anti-Spam Plugin affects up to 60,000+ websites

Vulnerability in WordPress Anti-Spam Plugin affects up to 60,000+ websites

A WordPress anti-spam plugin with over 60,000 installs patched a PHP object injection vulnerability caused by improper input sanitization, subsequently allowing base64-encoded user input.

Unauthenticated PHP object injection

In the popular Stop Spammers Security | Block Spam Users, Comments, Forms WordPress Plugin.

The purpose of the plugin is to stop spam in comments, forms and registrations. It can stop spam bots and has the option for users to enter IP addresses for blocking.

It is a mandatory practice for any WordPress plugin or form that accepts user input to only allow specific input, such as text, images, email addresses, whatever input is expected.

Unexpected inputs should be filtered out. This filtering process that keeps unwanted input out is called disinfection.

For example, a contact form should have a feature that checks what’s being sent and block (sanitize) anything that isn’t text.

The vulnerability discovered in the anti-spam plugin allowed encrypted input (Base64 encoded) which can then trigger a type of vulnerability called the PHP object injection vulnerability.

The description of the vulnerability published on the WPScan website describes the problem as follows:

“The plugin passes base64 encoded user input to the meineialize() PHP function when using CAPTCHA as the second challenge, which could result in PHP object injection if a plugin installed on the blog has an appropriate gadget chain…”

The vulnerability classification is Insecure deserialization.

The nonprofit Open Web Application Security Project (OWASP) describes the potential impact of this type of vulnerability as severe, which may or may not be the case with this vulnerability.

The description at OWASP:

“The impact of deserialization errors cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks out there.
The business impact depends on the application and data protection needs.”

But OWASP also notes that exploiting this type of vulnerability tends to be difficult:

“Exploiting deserialization is somewhat difficult, as standard exploits rarely work without modifications or tweaks to the underlying exploit code.”

The vulnerability in the WordPress plugin Stop Spammers Security has been fixed in version 2022.6

The Stop Spammers Security official changelog (a description with dates of various updates) notes the fix as a security improvement.

Stop Spam Security plugin users should consider updating to the latest version to prevent a hacker from exploiting the plugin.

Read the official notification in the United States Government National Vulnerability Database:

CVE-2022-4120 detail

Read the WPScan publication for details about this vulnerability:

Stop Spammers Security < 2022.6 - Unauthenticated PHP object injection

Featured image from Shutterstock/Luis Molinero

Leave a Reply

Your email address will not be published. Required fields are marked *