Starter Templates by Kadence WP < 1.2.17 – Admin+ PHP Object Injection | CVE 2022-3679 | Plugin Vulnerabilities

Description

The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a file named import.dat with the below content and import it (via Appearance > Customize > Import/Export):

O:4:"Evil":0:{};

Affects Plugins

kadence-starter-templates

Fixed in 1.2.17

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Pham Viet Nam

Submitter

Nguyen Pham Viet Nam

Submitter website

https://github.com/zzz25251325zzz

Verified

Yes

WPVDB ID

ec4b9bf7-71d6-4528-9dd1-cc7779624760

Timeline

Publicly Published

2022-12-16 (about 3 years ago)

Added

2022-12-16 (about 3 years ago)

Last Updated

2022-12-16 (about 3 years ago)

Other

Published

Title

Published

2025-10-28

Title

Polylang < 3.7.4 - Contributor+ PHP Object Injection

Published

2024-05-14

Title

Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection

Published

2024-10-09

Title

Talkback <= 1.0 - Unauthenticated PHP Object Injection

Published

2025-10-03

Title

JobSearch < 3.0.8 - Unauthenticated PHP Object Injection

Published

2024-01-24

Title

Better Search Replace < 1.4.5 - Unauthenticated PHP Object Injection