Bus Ticket Booking with Seat Reservation <= 5.6.2 - Unauthenticated PHP Object Injection

This research plan outlines the steps to investigate and exploit CVE-2026-27095, a PHP Object Injection vulnerability in the "Bus Ticket Booking with Seat Reservation" plugin.

1. Vulnerability Summary

The vulnerability is an Unauthenticated PHP Object Injection vulnerability. It occurs because the plugin accepts user-controlled serialized data via an HTTP parameter and passes it to the PHP unserialize() function without adequate validation or sanitization. Since this happens in a context reachable by unauthenticated users (likely a wp_ajax_nopriv_* handler), an attacker can supply a crafted serialized string. If a suitable Property-Oriented Programming (POP) chain exists in the environment (via other plugins or WordPress core), this can lead to remote code execution (RCE), file deletion, or data theft.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: Likely wppb_bus_booking_get_seat_layout or wppb_process_booking (inferred).
• Vulnerable Parameter: Likely bus_data, extra_info, or search_criteria (inferred).
• Authentication: None required (unauthenticated).
• Preconditions: The plugin must be active. A valid WordPress nonce may be required depending on the specific handler's implementation.

3. Code Flow

1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with a specific action.
2. Hook Registration: The plugin registers a handler using add_action('wp_ajax_nopriv_[ACTION_NAME]', 'handler_function').
3. Input Acquisition: The handler_function retrieves data from $_POST or $_GET.
4. The Sink: The retrieved data is passed through unserialize() or maybe_unserialize().
   • Likely Pattern: $data = unserialize(stripslashes($_POST['parameter'])); or $data = unserialize(base64_decode($_POST['parameter']));

4. Nonce Acquisition Strategy

To exploit AJAX handlers, a nonce is often required.

1. Identify the Script Localization: Search the plugin code for wp_localize_script.
   • Command: grep -rn "wp_localize_script" wp-content/plugins/bus-ticket-booking-with-seat-reservation/
2. Identify the Shortcode: Find the shortcode that enqueues the booking script.
   • Command: grep -rn "add_shortcode" wp-content/plugins/bus-ticket-booking-with-seat-reservation/
   • Likely Shortcode: [bus_ticket_booking] (inferred).
3. Create a Trigger Page:
   • Use WP-CLI: wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[bus_ticket_booking]'
4. Extract Nonce via Browser:
   • Navigate to the newly created page.
   • Use browser_eval to find the nonce in the global JS object (e.g., window.wppb_ajax_obj.nonce - verify name in source).

5. Exploitation Strategy

Since the vulnerability is a PHP Object Injection and no specific POP chain is identified in the plugin itself, the PoC will focus on triggering the unserialize call and demonstrating control.

Step 1: Discovery

Locate the exact sink using grep:

grep -rn "unserialize" wp-content/plugins/bus-ticket-booking-with-seat-reservation/ | grep "POST\|GET\|REQUEST"

Step 2: Crafting the Request

Once the parameter and action are identified (assume action wppb_get_layout and parameter bus_info for this example):

HTTP Request:

• Method: POST
• URL: http://<target>/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=wppb_get_layout&nonce=[EXTRACTED_NONCE]&bus_info=O:8:"stdClass":0:{}
  

Step 3: Confirming Injection

To confirm the unserialize call without a full RCE chain, you can use a "Logger" class if available, or attempt to trigger a PHP error by providing an invalidly serialized object (e.g., O:1:"A":0:{ without the closing brace) and checking if the response or debug.log reflects a deserialization error.

6. Test Data Setup

1. Plugin Installation: Ensure version <= 5.6.2 is installed.
2. Booking Configuration: Use WP-CLI to ensure at least one bus/route is created if the handler requires it to reach the sink.
   • Command: wp post create --post_type=wppb_bus --post_status=publish --post_title="Test Bus" (inferred post type).
3. Public Page: Create a page with the booking shortcode to ensure nonces are generated for unauthenticated sessions.

7. Expected Results

• The server processes the unserialize() call.
• If using a simple stdClass object, the server should respond with its typical JSON/HTML response (e.g., 200 OK).
• If using a malformed object, the server may return a PHP warning (if WP_DEBUG is on) or a 500 error, confirming the string reached the unserialize sink.

8. Verification Steps

1. Check Debug Logs: tail -f wp-content/debug.log while sending the request. Look for "unserialize(): Error at offset...".
2. Monitor Filesystem: If using a POP chain that targets file creation (like some older WordPress core chains), check for the presence of the created file: ls /var/www/html/proof.txt.
3. Review Response: If the unserialize output is reflected back (unlikely but possible), verify the structure of the returned data.

9. Alternative Approaches

• Base64 Encoding: Check if the parameter expects a Base64-encoded serialized string (common in WordPress plugins to avoid truncation).
  • Test: bus_info=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==
• Different Actions: If wppb_bus_booking_get_seat_layout does not contain the sink, check handlers related to:
  • Searching: wppb_bus_search
  • Cart/Checkout: wppb_add_to_cart
  • Custom Fields: wppb_save_extra_fields