WordPress Plugin Vulnerabilities

Starter Templates by Kadence WP < 1.2.17 - Admin+ PHP Object Injection

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named import.dat with the below content and import it (via Appearance > Customize > Import/Export):

O:4:"Evil":0:{};

Affects Plugins

Plugin icon
kadence-starter-templates
Fixed in 1.2.17

References

CVE
CVE-2022-3679

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Pham Viet Nam
Submitter
Nguyen Pham Viet Nam
Submitter website
https://github.com/zzz25251325zzz
Verified
Yes
WPVDB ID
ec4b9bf7-71d6-4528-9dd1-cc7779624760

Timeline

Publicly Published
2022-12-16 (about 1 years ago)
Added
2022-12-16 (about 1 years ago)
Last Updated
2022-12-16 (about 1 years ago)

Other

Published
Title
Published
2024-04-29
Title
Photo Gallery <= 1.4.1 - Authenticated(Contributor+) PHP Object Injection via Shortcode
Published
2024-04-29
Title
Event Monster <= 1.3.4 - Authenticated(Contributor+) PHP Object Injection via Custom Meta
Published
2022-09-05
Title
NinjaForms < 3.6.13 - Admin+ PHP Objection Injection
Published
2024-03-15
Title
Social Media Share Buttons <= 2.1.0 - Authenticated (Subscriber+) PHP Object Injection
Published
2022-06-15
Title
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection