WordPress CMS installations are vulnerable to a PHP bug related to data deserialization (also known as unserialization), a security researcher has revealed at the start of the month.

The bug has been reported to the WordPress team on February 28, 2017, but has remained unfixed to this day, more than a year and a half after the first report.

Vulnerability is in PHP, not WordPress per-se

The issue doesn’t affect WordPress only —the Internet’s most widespread CMS— but all PHP-based applications and libraries that handle user-supplied data.

The vulnerability is in the way PHP converts PHP objects (raw data) into strings and back into PHP objects again. This process is called serialization and deserialization, respectively, and is used in all programming languages to move data between different servers, services, or apps.

PHP’s serialization/deserialization process has been known to be vulnerable to various exploits since 2009 when German security researcher Stefan Esser documented the first attack leveraging flaws in the serialization/deserialization routine. Since then, other researchers have recorded various other methods of exploiting this process to take over servers and PHP applications [1, 2, 3].

New PHP deserialization attack discovered

Speaking at two security conferences this month —Black Hat Las Vegas and BSides Manchester— Sam Thomas, a security researcher with Secarma Labs, has revealed a new way of using PHP’s deserialization process to achieve code execution on servers and apps.

His technique relies on attackers having the ability to supply (upload) malformed data to a server. The…