This issue has been fixed in version 2.6.1 of both plugins.

PublishPress Capabilities Pro WordPress plugin before 2.6.1 uses an insecure method to unserialize a user-supplied file name. This could lead to a situation in which an administrator can inject arbitrary PHP code into the plugin's functions.

In PublishPress Capabilities Pro WordPress plugin before 2.5.2, the file_save_as filter is used to handle the serialization of a user-supplied file name. This insecure function uses unserialize() in an unsafe manner, which could lead to PHP object injection attacks by an administrator.

The PublishPress Capabilities Pro WordPress plugin before 2.5.2 does not sanitize input when handling file uploads from users. This issue could lead to an input containing malicious code that is executed by the plugin.

Mitigation of the Issue

PublishPress Capabilities Pro WordPress plugin before 2.6.1 uses an insecure method to unserialize a user-supplied file name. This leads to a situation in which an administrator can inject arbitrary PHP code into the plugin's functions. To mitigate this issue, PublishPress Capabilities Pro WordPress plugin before 2.6.1 has been fixed to use the safer serialize() method instead of unserialize().

In PublishPress Capabilities Pro WordPress plugin before 2.5.2, the file_save_as filter is used to handle the serialization of a user-supplied file name. This insecure function uses unserialize() in an unsafe manner, which could lead to PHP object injection attacks by an administrator. To mitigate this issue, PublishPress Capabilities Pro WordPress plugin before 2.5.2 has been fixed so that it sanitizes input when handling file uploads from users and prevents them from uploading malicious code that is executed by the plugin.

Solution:

If you are running the WordPress plugin before 2.6.1 and 2.5.2 on your site, please update to these versions to resolve this security issue.

Description of the problem

PublishPress Capabilities Pro WordPress plugin before 2.5.2 uses an insecure method to unserialize a user-supplied file name and a filter that is not sanitized. This can lead to PHP object injection attacks and file uploads containing malicious code by an administrator.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 13:54:00 UTC

References