AppSec Europe 2018

WordPress is used by 30% of all the websites. Due to its wide adoption it is a popular target for attackers. Security vulnerabilities are actively exploited in outdated cores and plugins in order to compromise large amounts of installations. Although the Wordpress core is audited and reviewed daily by bug bounty hunters and its great community, security vulnerabilities still pop up due to the intrinsic features of the PHP language. Further, the wide adoption and extension of the WordPress core prevents to switch to modern best practices and enforces the maintenance of legacy code.
 In this talk we will look at a fundamental design flaw of the WordPress core which lead to a series of severe security issues. We will examine how a custom design of prepared statements did not only lead to SQL injection vulnerabilities but also to a new type of PHP object injection. We will analyze the characteristics of this specific occurrence and how to spot it in other PHP projects. The goal of this talk is to introduce a new and generic exploitation technique as well as guidance for WordPress and other developers on how to prevent the presented issues.