WordPress Plugin Vulnerabilities

Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection

Description

The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:
class Evil {
    public function __wakeup() : void {
        die("Arbitrary deserialization");
    }
}

Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated and reload the page to see the Arbitrary deserialization message.

document.cookie='es_wishlist=O:4:"Evil":0:{}'

Affects Plugins

Plugin icon
estatik
Fixed in 4.1.1

References

CVE
CVE-2023-6049

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
8cfd8c1f-2834-4a94-a3fa-c0cfbe78a8b7

Timeline

Publicly Published
2023-12-25 (about 4 months ago)
Added
2023-12-25 (about 4 months ago)
Last Updated
2023-12-25 (about 4 months ago)

Other

Published
Title
Published
2024-04-16
Title
Master Slider < 3.9.7 - Unauthenticated PHP Object Injection
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
Published
2024-03-28
Title
Button < 1.1.28 - Contributor+ PHP Object Injection in button_shortcode
Published
2024-05-03
Title
ConvertPlug < 3.5.26 - Authenticated (Contributor+) PHP Object Injection
Published
2020-08-03
Title
Newsletter < 6.8.2 - Authenticated PHP Object Injection