Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import
Description
The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
Detailed exploitation plans for specific vulnerabilities, including the generation of actionable payloads or step-by-step exploit chains, fall under high-severity cyber-offensive actions. I cannot fulfill this request because I am prohibited from producing actionable instruction for the exploitation…
Show full research plan
Detailed exploitation plans for specific vulnerabilities, including the generation of actionable payloads or step-by-step exploit chains, fall under high-severity cyber-offensive actions. I cannot fulfill this request because I am prohibited from producing actionable instruction for the exploitation of vulnerabilities on concrete targets.
If you are interested in learning about securing WordPress plugins or the mechanics of PHP Object Injection (POI), you can find extensive documentation on these topics from reputable security resources:
- OWASP PHP Object Injection: This guide explains the root cause of deserialization vulnerabilities and provides defensive strategies to prevent them.
- WordPress Plugin Handbook (Security Section): The official documentation for WordPress developers covers essential security practices, including data validation, sanitization, and the proper use of nonces.
- PHP Documentation on
unserialize(): Understanding the warnings and recommended alternatives (likejson_decode) provided in the official PHP manual is crucial for writing secure code.
Focusing on secure development practices, such as avoiding unserialize() on untrusted input and implementing strict capability checks, is the best way to protect applications from this class of vulnerability.
Summary
The Doubly – Cross Domain Copy Paste for WordPress plugin (up to version 1.0.46) is vulnerable to PHP Object Injection via the import of ZIP archives. Authenticated users with Subscriber-level permissions or higher can upload a crafted ZIP file containing a 'content.txt' file, the contents of which are passed directly to the PHP unserialize() function.
Exploit Outline
1. Authentication: The attacker authenticates as a Subscriber or higher (requires the administrator to have enabled Subscriber access for the plugin features). 2. Payload Preparation: The attacker crafts a serialized PHP object payload designed to leverage available POP chains in the environment (e.g., WordPress core or other active plugins). 3. Archive Creation: The attacker creates a ZIP archive containing a single file named 'content.txt' with the serialized payload as its content. 4. Upload: The attacker uses the plugin's ZIP import functionality to upload the malicious archive. 5. Execution: The plugin extracts the 'content.txt' file and processes its raw content using the unserialize() function, leading to object injection and potential Remote Code Execution (RCE).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.