When Design Turns Dangerous

A Deep Dive into Themesflat Addons For Elementor's PHP Object Injection Vulnerability

Cory Marsh

Published on Saturday September 23, 2023

Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.

themesflat-addons-for-elementor, 30,000 sites hacked

PHP Object Injection Unauthenticated

Let's talk about WordPress, the juggernaut that powers an unfathomable number of websites across the globe. It's ubiquitous and, at times, too trusting—just like the Themesflat Addons For Elementor plugin, which has stumbled into a PHP Object Injection vulnerability.

View CVE Report: CVE-2023-37390

View On WordPress.org: themesflat-addons-for-elementor

View On Trac: plugins.trac.wordpress.org

Themesflat Addons For Elementor

"Themesflat addon focuses on support for the author build Template Kits for sale at Template Kits Elementor all in one. Just download only 1 plugin Themesflat Addon You will have the full wdiget build kit export, import display results as demo link"
-- themesflat-addons-for-elementor

Image Box
Carousel box
E Slider

Serilaized data - here be dragons...

BitFire's 0-day protection of CVE-2023-37390 vulnerability

The Gory Details

This plugin is essentially a Swiss Army knife for those wanting to beautify their WordPress sites. It's a must-have if you are selling Template Kits for Elementor. The vulnerability in question affects versions up to, and including, 2.0.0 and manifests through the 'settings' parameter retrieved from the tf_product_filter nopriv AJAX action. This flaw allows attackers to inject malicious PHP Objects into the site, which could lead to a myriad of compromises if a PHP POP chain is active on the site.

POP Goes the Weasel

In simple terms, PHP Object Injection can serve as the entry point for all sorts of malicious activity, but it needs a little help to do so. That help comes in the form of a PHP POP (Property-Oriented Programming) chain. If an attacker is able to locate a functioning POP chain, things go from bad to downright catastrophic. We're talking about arbitrary file deletion, sensitive data exposure, and potentially even remote code execution.

Proactive Mitigations

First things first: Update your Themesflat Addons For Elementor plugin. No excuses.

Next, let's talk firewalls. If you’re a website administrator looking to mitigate risk from object injection attacks, a quality firewall like BitFire should be on your radar. Firewalls serve as a first line of defense against various types of attacks, including those that exploit PHP Object Injection vulnerabilities.

Conclusion

While Themesflat Addons For Elementor may make your site look pretty, a vulnerability of this caliber shows how quickly beauty can turn into a beast. In a digital world that’s constantly under siege, protective measures such as BitFire firewall could make all the difference. Secure your site, because when design aesthetics lead to design vulnerabilities, nobody wins.

Removed Code

/frontend/models/form_maker.php


<?php
add_action('wp_ajax_tf_product_filter', 'tf_product_render');
add_action('wp_ajax_nopriv_tf_product_filter', 'tf_product_render');
...
'location' => unserialize( $local_post->meta_value ),

Replaced Code


<?php

...
'location' =>  $local_post->meta_value,