php.wordpress-plugins.security.audit.wp-php-object-injection-audit.wp-php-object-injection-audit
semgrep
Author
unknown
Download Count*
License
If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
Run Locally
Run in CI
Defintion
rules:
- id: wp-php-object-injection-audit
patterns:
- pattern-either:
- pattern: unserialize(...)
- pattern: maybe_unserialize(...)
message: If the data used inside the patterns are directly used without proper
sanitization, then this could lead to PHP Object Injection. Do not use
these function with user-supplied input, use JSON functions instead.
paths:
include:
- wp-content/plugins/**/*.php
languages:
- php
severity: WARNING
metadata:
category: security
confidence: LOW
likelihood: LOW
impact: HIGH
subcategory:
- audit
technology:
- Wordpress Plugins
references:
- https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#php-object-injection
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A03:2021 - Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
Examples
wp-php-object-injection-audit.php
<?php
// ruleid: wp-php-object-injection-audit
$content = unserialize($POST['post_content']);
// ruleid: wp-php-object-injection-audit
$rank_math=unserialize($rank_value);
// ruleid: wp-php-object-injection-audit
$import_options = maybe_unserialize($import->options);
// ruleid: wp-php-object-injection-audit
$data = unserialize(base64_decode($var));
// ok: wp-php-object-injection-audit
$data = serialize(base64_encode($var))
?>
Short Link: https://sg.run/G6X2