PHP Object Injection Vulnerability in WordPress: an Analysis
Author: Tom Van Goethem
With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities.
In this talk, the author will discuss how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited in order to run arbitrary code on WordPress installations that enable a popular plugin.
Tom Van Goethem is a PhD student at KU Leuven (Belgium).