Impact

Unserialization of untrusted data.

Patches

The issue has been patched and users of Requests 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.

References

Publications about the vulnerability:

• https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress
• ambionics/phpggc#52
• https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/
• https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf
• https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
• https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf
• https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f

Originally fixed in WordPress 5.5.2:

• WordPress/wordpress-develop@add6bed
• https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/

Related Security Advisories:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032
• https://nvd.nist.gov/vuln/detail/CVE-2020-28032

Notification to the Requests repo including a fix in:

• #421 and
• #422

For more information

If you have any questions or comments about this advisory:

• Open an issue in Request