WordPress Plugin Vulnerabilities

Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

Description

The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

1. Active this plugin and create a simple form.
2. Embed form in existing page.
3. Use anonymous user to fill in the text field with O:4:"Evil":0:{} and submit that form.
4. You will see the "Arbitrary deserialization" result.

Affects Plugins

Plugin icon
formidable
Fixed in 6.2

References

CVE
CVE-2023-1405

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Nguyen Huu Do
Submitter
Nguyen Huu Do
Verified
Yes
WPVDB ID
8c727a31-ff65-4472-8191-b1becc08192a

Timeline

Publicly Published
2023-04-06 (about 1 years ago)
Added
2023-04-06 (about 1 years ago)
Last Updated
2023-04-06 (about 1 years ago)

Other

Published
Title
Published
2024-05-07
Title
Advanced Ads – Ad Manager & AdSense < 1.52.2 - Authenticated (Admin+) PHP Object Injection
Published
2015-09-25
Title
WP Super Cache < 1.4.5 - PHP Object Injection
Published
2018-11-23
Title
Patreon Connect < 1.2.2 - PHP Object Injection
Published
2024-03-26
Title
Sunshine Photo Cart: Free Client Photo Galleries for Photographers < 3.1.2 - Unauthenticated PHP Object Injection
Published
2020-08-03
Title
Newsletter < 6.8.2 - Authenticated PHP Object Injection