Newsletter < 6.8.2 - Authenticated PHP Object Injection

The ‘restore_options_from_request‘ function called by the AJAX function ‘tnpc_render_callback‘ runs ‘unserialize’ directly on ‘$options[‘inline_edits’]’ which is provided by user input in the $_POST[‘options’] parameter. This creates the potential for an Object Injection vulnerability. For example, a user with minimal permissions, such as a subscriber, could send a POST request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘tpnc_render’ and the ‘options[inline_edits]’ parameter set to a serialized object. Although the Newsletter plugin does not itself use any magic methods such as __destruct or __wakeup which could be used to complete a POP chain, these methods are common in 3rd party libraries and other plugins, and as such could be used as part of a POP chain which could be used to execute arbitrary code or have other critical-severity impacts.