Unauthenticated PHP Object Injection in Flatsome Theme <= 3.17.5

Published 6 September 2023
Table of Contents

This blog post is about the Flatsome theme vulnerability. If you’re a Flatsome user, please update the plugin to at least version 3.17.6.

Patchstack Developer and Business users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

About the Flatsome Theme

The theme Flatsome (versions 3.17.5 and below, premium version), which is estimated to have over 660,000 active installations, is one of the best-selling WooCommerce themes at ThemeForest. This plugin is developed by UX-Themes.

This theme is a premium builder focused for the WooCommerce site development. Flatsome is the theme claimed to be suitable for an agency or freelancer. It has got all the tools needed to create super-fast responsive websites with amazing user experience. It has got unlimited options and a revolutionary responsive page builder, so we can create anything without coding.

The security vulnerability

The Flatsome theme suffers from an unauthenticated PHP Object Injection vulnerability. This issue occurs when user-supplied input is not properly sanitized before being passed to the maybe_unserialize function which is a wrapper for PHP unserialize function.

Since PHP allows object serialization, an unauthenticated user could pass ad-hoc serialized strings to a vulnerable unserialize call, resulting in an arbitrary PHP object(s) injection into the application scope. The described vulnerability was fixed in version 3.17.6 and assigned CVE-2023-40555.

The underlying vulnerability exists in the flatsome_ajax_load_instagram function:

function flatsome_ajax_load_instagram () {
	$data = isset( $_GET['data'] ) ? (string) $_GET['data'] : '';

	list( $hash, $value ) = explode( ':', $data, 2 );

	if ( empty( $value ) || empty( $hash ) ) {
		wp_send_json_error( 'Invalid data' );
	}

	$atts     = maybe_unserialize( base64_decode( $value ) );
	$tick     = ceil( time() / MONTH_IN_SECONDS );
	$expected = substr( wp_hash( $tick . $value ), -12, 10 );

	if ( ! hash_equals( $expected, $hash ) ) {
		wp_send_json_error( 'Invalid hash' );
	}

	$atts['loading'] = 'eager';

	$markup = ux_instagram_feed( $atts );

	wp_send_json_success( trim( $markup ) );
}
add_action( 'wp_ajax_flatsome_load_instagram', 'flatsome_ajax_load_instagram' );
add_action( 'wp_ajax_nopriv_flatsome_load_instagram', 'flatsome_ajax_load_instagram' );

We could see that the flatsome_ajax_load_instagram function is set as a function handler for the wp_ajax_nopriv_flatsome_load_instagram ajax action which indicates that the function can be reached by an unauthenticated user. The function will directly process the base64-decoded $value to the maybe_unserialize function. The $value itself is constructed from $data which directly comes from $_GET['data'] without any filtering or sanitization. Since the user can fully control $value, we can achieve arbitrary PHP object injection on the server.

Note that this vulnerability can be triggered on a default installation or configuration of the Flatsome theme without any additional setup requirements.

At the time this article was published, we were not able to discover a significant POP chain in the vulnerable plugin, making the impact of this issue limited. If a POP chain is present via an additional plugin or theme installed on the WordPress site, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code, depending on the available POP chain.

The patch

Since the issue is mainly because the plugin uses the unsafe maybe_unserialize function, replacing the function should be enough to fix the issue. In this case, the vendor decided to use the JSON format to process the $value data. The patch can be seen below:

Conclusion

The maybe_unserialize function is a wrapper for PHP unserialize function which is one of the more sensitive processes that could lead to a security issue. In general, we do not recommend using this method to process data that could be partially or fully controlled by user input.

We recommend using JSON instead of serialization to process more complex data structures. If the unserialize process is still needed on the application, we recommend at least configuring the allowed_classes option set to false.

Timeline

01 August, 2023We found the vulnerability and reached out to the plugin vendor.
07 August, 2023Flatsome theme version 3.17.6 released to patch the reported issues.
06 September, 2023Added the vulnerabilities to the Patchstack vulnerability database. Security advisory article publicly released.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

  • If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
  • If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The latest in Security advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu