[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0b3i4labcz9jG_rtxaB0IEy7sGgEbgxsXJ6AdpEXnvs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-27095","bus-ticket-booking-with-seat-reservation-unauthenticated-php-object-injection","Bus Ticket Booking with Seat Reservation \u003C= 5.6.2 - Unauthenticated PHP Object Injection","The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.6.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","bus-ticket-booking-with-seat-reservation",null,"\u003C=5.6.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-05 00:00:00","2026-03-12 17:13:11",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbbe5d631-8f2a-49a9-aeb8-b9965a5875ca?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-27095**, a PHP Object Injection vulnerability in the \"Bus Ticket Booking with Seat Reservation\" plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability is an **Unauthenticated PHP Object Injection** vulnerability. It occurs because the plugin accepts user-controlled serialized data via an HTTP parameter and passes it to the PHP `unserialize()` function without adequate validation or sanitization. Since this happens in a context reachable by unauthenticated users (likely a `wp_ajax_nopriv_*` handler), an attacker can supply a crafted serialized string. If a suitable Property-Oriented Programming (POP) chain exists in the environment (via other plugins or WordPress core), this can lead to remote code execution (RCE), file deletion, or data theft.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely `wppb_bus_booking_get_seat_layout` or `wppb_process_booking` (inferred).\n*   **Vulnerable Parameter:** Likely `bus_data`, `extra_info`, or `search_criteria` (inferred).\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid WordPress nonce may be required depending on the specific handler's implementation.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with a specific `action`.\n2.  **Hook Registration:** The plugin registers a handler using `add_action('wp_ajax_nopriv_[ACTION_NAME]', 'handler_function')`.\n3.  **Input Acquisition:** The `handler_function` retrieves data from `$_POST` or `$_GET`.\n4.  **The Sink:** The retrieved data is passed through `unserialize()` or `maybe_unserialize()`. \n    *   *Likely Pattern:* `$data = unserialize(stripslashes($_POST['parameter']));` or `$data = unserialize(base64_decode($_POST['parameter']));`\n\n### 4. Nonce Acquisition Strategy\nTo exploit AJAX handlers, a nonce is often required. \n1.  **Identify the Script Localization:** Search the plugin code for `wp_localize_script`.\n    *   *Command:* `grep -rn \"wp_localize_script\" wp-content\u002Fplugins\u002Fbus-ticket-booking-with-seat-reservation\u002F`\n2.  **Identify the Shortcode:** Find the shortcode that enqueues the booking script.\n    *   *Command:* `grep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Fbus-ticket-booking-with-seat-reservation\u002F`\n    *   *Likely Shortcode:* `[bus_ticket_booking]` (inferred).\n3.  **Create a Trigger Page:**\n    *   Use WP-CLI: `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content='[bus_ticket_booking]'`\n4.  **Extract Nonce via Browser:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to find the nonce in the global JS object (e.g., `window.wppb_ajax_obj.nonce` - *verify name in source*).\n\n### 5. Exploitation Strategy\nSince the vulnerability is a PHP Object Injection and no specific POP chain is identified in the plugin itself, the PoC will focus on triggering the `unserialize` call and demonstrating control.\n\n#### Step 1: Discovery\nLocate the exact sink using `grep`:\n```bash\ngrep -rn \"unserialize\" wp-content\u002Fplugins\u002Fbus-ticket-booking-with-seat-reservation\u002F | grep \"POST\\|GET\\|REQUEST\"\n```\n\n#### Step 2: Crafting the Request\nOnce the parameter and action are identified (assume action `wppb_get_layout` and parameter `bus_info` for this example):\n\n**HTTP Request:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=wppb_get_layout&nonce=[EXTRACTED_NONCE]&bus_info=O:8:\"stdClass\":0:{}\n    ```\n\n#### Step 3: Confirming Injection\nTo confirm the `unserialize` call without a full RCE chain, you can use a \"Logger\" class if available, or attempt to trigger a PHP error by providing an invalidly serialized object (e.g., `O:1:\"A\":0:{` without the closing brace) and checking if the response or `debug.log` reflects a deserialization error.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure version `\u003C= 5.6.2` is installed.\n2.  **Booking Configuration:** Use WP-CLI to ensure at least one bus\u002Froute is created if the handler requires it to reach the sink.\n    *   *Command:* `wp post create --post_type=wppb_bus --post_status=publish --post_title=\"Test Bus\"` (inferred post type).\n3.  **Public Page:** Create a page with the booking shortcode to ensure nonces are generated for unauthenticated sessions.\n\n### 7. Expected Results\n*   The server processes the `unserialize()` call.\n*   If using a simple `stdClass` object, the server should respond with its typical JSON\u002FHTML response (e.g., `200 OK`).\n*   If using a malformed object, the server may return a PHP warning (if `WP_DEBUG` is on) or a `500` error, confirming the string reached the `unserialize` sink.\n\n### 8. Verification Steps\n1.  **Check Debug Logs:** `tail -f wp-content\u002Fdebug.log` while sending the request. Look for \"unserialize(): Error at offset...\".\n2.  **Monitor Filesystem:** If using a POP chain that targets file creation (like some older WordPress core chains), check for the presence of the created file: `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fproof.txt`.\n3.  **Review Response:** If the `unserialize` output is reflected back (unlikely but possible), verify the structure of the returned data.\n\n### 9. Alternative Approaches\n*   **Base64 Encoding:** Check if the parameter expects a Base64-encoded serialized string (common in WordPress plugins to avoid truncation). \n    *   *Test:* `bus_info=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==`\n*   **Different Actions:** If `wppb_bus_booking_get_seat_layout` does not contain the sink, check handlers related to:\n    *   Searching: `wppb_bus_search`\n    *   Cart\u002FCheckout: `wppb_add_to_cart`\n    *   Custom Fields: `wppb_save_extra_fields`","The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to and including 5.6.2. This occurs due to the plugin deserializing untrusted user input via the `unserialize()` function, typically within AJAX handlers. An attacker can exploit this to execute arbitrary code or perform file operations if a suitable Property-Oriented Programming (POP) chain is present in the system.","\u002F\u002F Inferred likely pattern based on research plan analysis of AJAX handlers\n$data = unserialize(stripslashes($_POST['parameter']));","--- a\u002Fincludes\u002Fajax-handler.php\n+++ b\u002Fincludes\u002Fajax-handler.php\n@@ -10,1 +10,1 @@\n- $data = unserialize(stripslashes($_POST['parameter']));\n+ $data = json_decode(stripslashes($_POST['parameter']), true);","1. Locate a page containing the `[bus_ticket_booking]` shortcode to trigger script localization.\n2. Extract a valid AJAX nonce from the frontend global JS objects (e.g., `wppb_ajax_obj.nonce`).\n3. Construct a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the identified vulnerable action (such as `wppb_bus_booking_get_seat_layout`).\n4. Include a crafted PHP serialized object payload in the vulnerable parameter (e.g., `bus_data` or `extra_info`).\n5. If a POP chain is available from other installed plugins or WordPress core, the `unserialize()` call will trigger the chain's magic methods to achieve the desired impact (e.g., RCE).","gemini-3-flash-preview","2026-04-18 06:00:31","2026-04-18 06:00:51",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbus-ticket-booking-with-seat-reservation\u002Ftags"]