I wrote about an influx of PHP Object Injection attacks previously, warning about a trend of attacks targeting a known but somewhat under-reported PHP vulnerability. Looking back since that time, I get the odd feeling that object injection (or as they’re sometimes called unserialize) vulnerabilities keep cropping up. Wondering if this is just a frequency illusion (once you notice something like a certain make/model of a car, you notice it everywhere!) or actually a trend; I dug into the numbers. Confirming Growth: These type of attacks are in fact becoming more popular. Using WPVulnDB.com (a website which keeps tracks of WordPress core, theme and plugin vulnerabilities) I found that object injection vulnerabilities had 1 report in 2014, 4 in 2015, then doubled to 8 in 2016 and so far in 2017 there have been 13 reports (not bad for half way through the year) Back in November, I reported seeing a spike in attacks targeting insecure objects, and looking historically at reported vulnerabilities, we’re seeing these numbers going up each year. It’s not a stretch that these two facts lead me to suspect the WordPress and plugin developer communities may have had no (or bad)
Share This