WordPress Plugin Vulnerabilities

BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization

Description

The plugin does not validate the url parameter of its upload_image_from_url AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well

Proof of Concept

1. Create a malicious phar file.
2. Upload the malicious phar file as an image via the upload_image_from_url action.
3. Call the file with the phar:// wrapper using the same action.

Affects Plugins

Plugin icon
buddyforms
Fixed in 2.7.8

References

CVE
CVE-2023-26326

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Joshua Martinelle (Tenable Research)
Verified
No
WPVDB ID
a554091e-39d1-4e7e-bbcf-19b2a7b8e89f

Timeline

Publicly Published
2023-02-23 (about 1 years ago)
Added
2023-02-24 (about 1 years ago)
Last Updated
2023-02-24 (about 1 years ago)

Other

Published
Title
Published
2021-06-08
Title
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
Published
2024-01-24
Title
Advanced Database Cleaner < 3.1.4 - Administrator+ PHP Object Injection
Published
2024-01-03
Title
HTML5 SoundCloud Player <= 2.8.0 - Authenticated (Author+) PHP Object Injection
Published
2019-09-19
Title
WP Google Map Plugin < 4.1.0 - CSRF to Unauthenticated PHP Object Injection
Published
2018-03-02
Title
WP Job Manager < 1.29.3 - Unauthenticated Object Injection