Vulnerability Research Plan: CVE-2025-68047

1. Vulnerability Summary

The Eventin plugin (versions <= 4.1.3) is vulnerable to PHP Object Injection via the deserialization of untrusted data. The vulnerability exists in the plugin's shortcode generator functionality, which is accessible to authenticated users with Contributor-level permissions or higher. The backend fails to sanitize or validate input passed to a deserialization function (likely maybe_unserialize or unserialize) when processing shortcode configuration data via AJAX.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: etn_get_shortcode_template_ajax (inferred from JS logic in 168.7f074eee.js)
• Vulnerable Parameter: shortcode_data
• Authentication: Authenticated (Contributor+)
• Preconditions: The attacker must have a valid session with at least Contributor permissions. The plugin's shortcode generator scripts must be enqueued (standard on post/page editor screens).

3. Code Flow

1. Frontend Entry (JS Chunk 168): The React-based UI handles shortcode configuration (e.g., for event-with-calendar, advanced-search, or schedule).
2. Trigger: When a user interacts with the shortcode builder, the handleGetScript (aliased as S in minified JS) or handleGenerate (g) function is triggered.
3. AJAX Request: These functions initiate an AJAX call to admin-ajax.php with the action etn_get_shortcode_template_ajax. The current form state (attributes like style, limit, category) is collected into a data object.
4. Data Transmission: This data is sent to the server, often inside a parameter named shortcode_data.
5. Backend Sink (Inferred PHP): The backend AJAX handler (likely in a class named ETN_Shortcode_Generator or similar) retrieves $_POST['shortcode_data'].
6. Vulnerable Sink: The code calls maybe_unserialize( stripslashes( $_POST['shortcode_data'] ) ) or unserialize(). Since shortcode_data is directly user-controlled, an attacker can provide a serialized PHP object instead of the expected array/string.

4. Nonce Acquisition Strategy

The shortcode generator requires a nonce for verification (check_ajax_referer or wp_verify_nonce). In Eventin, nonces for admin/AJAX actions are typically localized into a global JavaScript object.

1. Target Page: The shortcode generator is loaded on the "Add New Post" or "Add New Event" screen.
2. Creation: Create a temporary post to ensure the environment is ready.
   wp post create --post_type=post --post_status=publish --post_title="Exploit Target"
3. Extraction:
   • Navigate to the post editor as the Contributor user.
   • Use browser_eval to extract the nonce from the etn_shortcode_obj or eventin_admin_data object.
   • JS Identifier: Based on Eventin's architecture, the variable is likely window.etn_shortcode_obj?.nonce.

5. Exploitation Strategy

The exploit will involve sending a specially crafted POST request to the AJAX endpoint.

1. Preparation:
   • Login as a Contributor.
   • Navigate to wp-admin/post-new.php.
   • Extract the nonce using browser_eval.
2. Payload Generation:
   • Since no POP chain is confirmed in Eventin itself, use a generic PHP object to confirm injection. If the environment has GuzzleHttp or other common libraries, a chain could be used. For verification, we will inject a non-existent class and look for a "Class Not Found" error if WP_DEBUG is on, or use a known internal WP class.
   • Payload: O:8:"stdClass":1:{s:3:"poi";s:7:"success";} (Serialized stdClass object).
3. HTTP Request (via http_request tool):
   • Method: POST
   • URL: https://<target>/wp-admin/admin-ajax.php
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:
     action=etn_get_shortcode_template_ajax&nonce=<NONCE>&shortcode_data=O:8:"stdClass":1:{s:3:"poi";s:7:"success";}

6. Test Data Setup

1. User: Create a Contributor user.
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
2. Plugin: Ensure wp-event-solution version 4.1.3 is installed and active.
3. Content: Ensure at least one event category exists to populate the shortcode UI (though not strictly required for the sink).
   wp term create event_category "Test Category" --slug=test-cat

7. Expected Results

• Successful Exploitation: The server processes the request. If a class-based payload is used (e.g., a non-existent class O:14:"ExploitTrigger":0:{}), the PHP error log or response (if WP_DEBUG is active) will show an __unserialize() or __wakeup() attempt or a fatal error: PHP Fatal error: unserialize(): Unknown or dangling tag ....
• Response: Usually, the AJAX handler returns a JSON response. A successful injection might still return a 200 OK but trigger the object's magic methods on the backend.

8. Verification Steps

1. Logs: Check /var/www/html/wp-content/debug.log for evidence of the injected class being processed.
2. Blind Verification: Use a payload that triggers a time delay (if a POP chain like Guzzle is present) or use a "pingback" class if available.
3. Manual Trace: Use wp eval to check if maybe_unserialize behaves as expected with the provided payload:
   wp eval 'var_dump(maybe_unserialize("O:8:\"stdClass\":1:{s:3:\"poi\";s:7:\"success\";}"));'
   Confirm the output is an object(stdClass) and not an array.

9. Alternative Approaches

• Different Actions: If etn_get_shortcode_template_ajax is not the correct action, search for other AJAX hooks registered by the plugin using:
  grep -r "wp_ajax_" wp-content/plugins/wp-event-solution/ | grep "shortcode"
• Different Parameter: The parameter might be data or settings instead of shortcode_data. Verify by inspecting the network tab in the browser while using the Shortcode Generator UI.
• AI Integration Endpoint: JS Chunk 213 mentions eventin-ai-create-event-modal. The AI features might also pass serialized settings to the backend.