Weaver Xtreme Theme Support < 6.3.1 – Admin+ PHP Object Injection | CVE 2023-4971 | Plugin Vulnerabilities

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Test {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named "poc.txt" with the following content: O:4:"Test":0:{};

Upload the file via the "Choose File" feature in Weaver Xtreme Theme Support > Filters

Then choose Restore Filter Options.

The view the response of the request made, which will have the "Arbitrary deserialization" message.

Affects Plugins

weaverx-theme-support

Fixed in 6.3.1

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Do Xuan Trung

Submitter

Do Xuan Trung

Verified

Yes

WPVDB ID

421194e1-6c3f-4972-8f3c-de1b9d2bcb13

Timeline

Publicly Published

2023-09-19 (about 2 years ago)

Added

2023-09-19 (about 2 years ago)

Last Updated

2023-09-19 (about 2 years ago)

Other

Published

Title

Published

2025-06-09

Title

Themify Edmin <= 2.0.0 - Authenticated (Contributor+) PHP Object Injection

Published

2024-09-24

Title

Prisna GWT - Google Website Translator < 1.4.12 - Authenticated (Admin+) PHP Object Injection

Published

2025-03-27

Title

Rapyd Payment Extension for WooCommerce <= 1.1.9 - Unauthenticated PHP Object Injection

Published

2024-11-19

Title

Clone < 2.4.7 - Unauthenticated PHP Object Injection via 'recursive_unserialized_replace'

Published

2025-05-07

Title

CoinPayments.net Payment Gateway for WooCommerce < 1.0.18 - Unauthenticated PHP Object Injection