WordPress Plugin Vulnerabilities
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection
Description
The plugin nextgen-gallery-geo insecurely trusts serialised data submitted over the AJAX ngg_geo_showmap (v <= 1.0.0) or geo2_maps_showmap (v <= 2.0.2) actions, available to both unauthenticated and authenticated users. This opens up the site to a PHP object injection vulnerability potential exploit vector.
Proof of Concept
The plugin did not have a suitable gadget chain to directly exploit this issue, so it will depends on other plugins/libraries installed. v <= 1.0.0 add_action('wp_ajax_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax'); add_action('wp_ajax_nopriv_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax'); function ng_gallery_geo_shortcodes_ajax() { $options = unserialize(base64_decode($_POST['options'])); .... } v <= 2.0.2 add_action( 'wp_ajax_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' ); add_action( 'wp_ajax_nopriv_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' ); function geo2_maps_shortcodes_ajax() { check_ajax_referer( 'geo2-ajax-nonce', 'nonce' ); $options = unserialize( base64_decode( $_POST[ 'options' ] ) ); ... }
Affects Plugins
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Robert R
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2017-04-27 (about 7 years ago)
Added
2017-05-21 (about 6 years ago)
Last Updated
2021-05-16 (about 2 years ago)