Weaver Xtreme Theme Support < 6.3.1 – Admin+ PHP Object Injection | CVE 2023-4971 | Plugin Vulnerabilities

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Test {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named "poc.txt" with the following content: O:4:"Test":0:{};

Upload the file via the "Choose File" feature in Weaver Xtreme Theme Support > Filters

Then choose Restore Filter Options.

The view the response of the request made, which will have the "Arbitrary deserialization" message.

Affects Plugins

weaverx-theme-support

Fixed in 6.3.1

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Do Xuan Trung

Submitter

Do Xuan Trung

Verified

Yes

WPVDB ID

421194e1-6c3f-4972-8f3c-de1b9d2bcb13

Timeline

Publicly Published

2023-09-19 (about 7 months ago)

Added

2023-09-19 (about 7 months ago)

Last Updated

2023-09-19 (about 7 months ago)

Other

Published

Title

Published

2021-04-20

Title

Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection

Published

2017-01-25

Title

InfiniteWP Client < 1.6.1.1 - Unauthenticated PHP Object Injection

Published

2022-10-17

Title

Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization

Published

2023-10-29

Title

WP Simple Galleries <= 1.34 - Contributor+ PHP Object Injection

Published

2023-11-15

Title

Welcart e-Commerce < 2.9.6 - Admin+ PHP Object Injection