WordPress PHP Object Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C3 CWE-502 WASC-20

A PHP Object Injection is a vulnerability affects at the application level. This vulnerability allows an attacker to perform attacks like Code Injection, SQL Injection, Path Traversal and Application Denial of Service. There are many vulnerable plugins in WordPress library that allow an attacker to perform a remote attack to the application. These plugins can successfully exploit a system because the application failed to sanitise user-supplied input before being passed to the unserialised PHP function. Attackers can exploit this issue to execute malicious PHP code on this web server. Using this vulnerability, an attacker can perform attacks like code injection, SQL injection, path traversal attack and denial of service attack.


The impact for this vulnerability include:-

  • Code injection
  • SQL injection
  • Path traversal
  • Denial of service

Mitigation / Precaution

Latest Articles