Thursday, April 17, 2025
HomeCVE/vulnerabilityGoogle Forms WordPress Plugin unauthenticated PHP Object injection vulnerability

Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability

Published on

SIEM as a Service

Follow Us on Google News

Introduction

The Google Forms WordPress Plugin fetches a published Google Form using a WordPress custom post or shortcode, removes the Google wrapper HTML and then renders it as an HTML form embedded in your blog post or page.

A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects.


Abstract

A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin by sumofpwn, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.

- Advertisement - Google News

OVE ID

OVE-20160803-0001


Tested versions

This issue was successfully tested on the Google Forms WordPress Plugin version 0.84 – 0.87.


Fix

This issue is resolved in Google Forms version 0.91.


Details

This issue is possible due to two unsafe calls to unserialize() in the ProcessGoogleForm() method. The input is taken directly from the POST request as can be seen in the following code fragment:

wpgform-core.php:

// Need the action which was saved during form construction
$action = unserialize(base64_decode($_POST['wpgform-action'])) ;
unset($_POST['wpgform-action']) ;
$options = $_POST['wpgform-options'] ;
unset($_POST['wpgform-options']) ;
$options = unserialize(base64_decode($options)) ;

It has been confirmed that this issues can be used to execute arbitrary PHP code.

Likewise you can Read: WordPress Plugin Stop User Enumeration does not stop user enumeration

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Critical Erlang/OTP SSH Vulnerability Allow Hackers Execute Arbitrary Code Remotely

A major security flaw has been uncovered in the widely used Erlang/OTP SSH implementation,...

CISA Warns of Potential Credential Exploits Linked to Oracle Cloud Hack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a public warning following reports...

Critical Flaw in PHP’s extract() Function Enables Arbitrary Code Execution

A critical vulnerability in PHP’s extract() function has been uncovered, enabling attackers to execute arbitrary code...