@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > Wordpress Modal Popup Box Plugin - Multiple Vulnerabilities .:. Date: March 25, 2025 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Plugin -> https://wordpress.org/plugins/modal-popup-box/ .:. Product Version -> [1.5.8 and below] .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp .:. Severity: High .:. Requires Admin+ Authentication @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Description: The Modal Popup Box plugin for WordPress is vulnerable to a PHP Object Injection attack due to the unsafe use of the unserialize() function on user-controlled data. This vulnerability allows an attacker to inject a serialized PHP object into the plugin's data processing flow, potentially leading to remote code execution (RCE), data manipulation, or denial of service (DoS) The vulnerability is located in the modal-popup-box.php file, where the plugin retrieves and processes serialized data from the WordPress post meta. The following code snippet demonstrates the vulnerable section: ==================================================================================== $encodedData = get_post_meta($modal_popup_box_id, 'awl_mpb_settings_' . $modal_popup_box_id, true); $decodedData = base64_decode($encodedData); if (is_mpb_serialized($decodedData)) { $modal_popup_box_settings = unserialize($decodedData); } ==================================================================================== Exploitation: An attacker can exploit this vulnerability by crafting a serialized PHP object with a magic method (e.g., __destruct) that executes arbitrary code. The payload can be injected into the post meta data through form submissions. For example form vulnerable parameter with payload: mpb_main_button_text=O:14:"MaliciousClass":0:{} Impact: - Remote Code Execution (RCE): Execute arbitrary PHP code on the server. - Data Manipulation: Alter plugin settings or other data stored in the database. - Denial of Service (DoS): Cause the application to crash or become unresponsive Mitigation: - Avoid using unserialize() on untrusted data. - Use JSON for data serialization and deserialization. - Implement strict input validation and sanitization. - Update the plugin to the latest version once a patch is available Proof of Concept: 1- Inject the serialized payload into a form field that is stored in the database and later unserialized 2-Trigger the vulnerability by accessing the modal settings, which will execute the injected payload. Vulnerability 2: DoS attempting to include [MPBOX id=] shortcode into any posts or pages causes denial of service for some reason.