WordPress Plugin Vulnerabilities
Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 - Unauthenticated PHP Object Injection
Description
The plugin nextgen-gallery-geo insecurely trusts serialised data submitted over the AJAX ngg_geo_showmap (v <= 1.0.0) or geo2_maps_showmap (v <= 2.0.2) actions, available to both unauthenticated and authenticated users. This opens up the site to a PHP object injection vulnerability potential exploit vector.
Proof of Concept
The plugin did not have a suitable gadget chain to directly exploit this issue, so it will depends on other plugins/libraries installed.
v <= 1.0.0
add_action('wp_ajax_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax');
add_action('wp_ajax_nopriv_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax');
function ng_gallery_geo_shortcodes_ajax()
{
$options = unserialize(base64_decode($_POST['options']));
....
}
v <= 2.0.2
add_action( 'wp_ajax_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' );
add_action( 'wp_ajax_nopriv_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' );
function geo2_maps_shortcodes_ajax()
{
check_ajax_referer( 'geo2-ajax-nonce', 'nonce' );
$options = unserialize( base64_decode( $_POST[ 'options' ] ) );
...
}
Affects Plugins
Fixed in 2.0.3 Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Robert R
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2017-04-27 (about 7 years ago)
Added
2017-05-21 (about 6 years ago)
Last Updated
2021-05-16 (about 2 years ago)
WPScan 