Modal Popup Box <= 1.6.1 - Authenticated (Contributor+) PHP Object Injection

This research plan focuses on identifying and exploiting a PHP Object Injection vulnerability in the Modal Popup Box plugin (<= 1.6.1).

1. Vulnerability Summary

The Modal Popup Box plugin for WordPress fails to safely handle serialized data provided by users with at least Contributor-level permissions. The vulnerability exists because the plugin calls unserialize() on a parameter (likely related to popup settings, styles, or import/export functionality) without proper validation or using the allowed_classes => false option. While no default POP chain is identified in the plugin itself, an attacker can leverage POP chains in other installed plugins or WordPress core to achieve Remote Code Execution (RCE) or file manipulation.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: modal_popup_box_save_settings or mpb_save_data (inferred from plugin logic).
• Vulnerable Parameter: Likely settings_data or import_data.
• Authentication: Authenticated, Contributor-level access (edit_posts capability) is required.
• Preconditions: The attacker must be logged in as a Contributor and obtain a valid AJAX nonce.

3. Code Flow

1. Entry Point: A Contributor sends a POST request to admin-ajax.php with an action parameter associated with saving or importing popup configurations.
2. Hook Registration: The plugin registers AJAX handlers in its main class or admin class (e.g., inc/admin/class-modal-popup-box-admin.php or modal-popup-box.php):
   • add_action('wp_ajax_modal_popup_box_save_settings', '...')
3. Handler Execution: The handler function (e.g., modal_popup_box_save_settings()) is called.
4. The Sink: Inside the handler, the code retrieves data from $_POST and passes it to unserialize():

   // Likely pattern in 1.6.1
   $settings = $_POST['settings'];
   $data = unserialize(stripslashes($settings)); 
   

5. Object Injection: By providing a crafted serialized string, the attacker triggers the instantiation of arbitrary classes present in the PHP environment.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for its admin interface. Since Contributors can access the Modal Popup Box menu (or create/edit posts), the nonce can be extracted from the admin dashboard.

1. Identify Localization: Look for wp_localize_script in the plugin's admin scripts registration.
2. JS Variable: The variable is likely modal_popup_box_ajax_object or mpb_ajax_vars.
3. Extraction Steps:
   • Log in as a Contributor.
   • Navigate to the Modal Popup Box management page: /wp-admin/edit.php?post_type=modal-popup-box.
   • Use browser_eval to extract the nonce:

     // Example extraction (verify key name in source)
     window.modal_popup_box_ajax_object?.nonce 
     

   • Alternative: Search the HTML source for _ajax_nonce or nonce within the plugin's settings forms.

5. Exploitation Strategy

Step 1: Discover the exact AJAX action and parameter

Use wp_cli to find the unserialize call and its associated AJAX hook:
grep -rn "unserialize" /var/www/html/wp-content/plugins/modal-popup-box/

Step 2: Prepare the Payload

Since no specific POP chain is required for a PoC, use a generic stdClass or a common WordPress core class like WP_Block_List to demonstrate the injection.

• Payload: O:8:"stdClass":1:{s:3:"foo";s:3:"bar";} (URL-encoded).

Step 3: Execute the Exploit

Send the malicious request using the http_request tool.

Example Request:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=modal_popup_box_save_settings&nonce=[EXTRACTED_NONCE]&settings=O%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A3%3A%22foo%22%3Bs%3A3%3A%22bar%22%3B%7D
  

6. Test Data Setup

1. User Creation: Create a Contributor user.
   • wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Plugin Setup: Ensure the plugin is active.
   • wp plugin activate modal-popup-box
3. Initial Content: Create at least one "Modal" to ensure the interface loads correctly for the Contributor.
   • wp post create --post_type=modal-popup-box --post_title="Test Modal" --post_status=publish

7. Expected Results

• Success: The server processes the request. If a non-existent class is injected, the PHP error log (if WP_DEBUG is on) might show PHP Fatal error: Uncaught Error: Class 'AttackerClass' not found.
• Response: The AJAX handler may return a JSON success message {"success":true} or a 1.
• Side Effect: If using a real POP chain (e.g., from a library like Guzzle if present), the specific chain action (file write/delete) will be observed.

8. Verification Steps

1. Error Log Monitoring: Check the WordPress debug log for deserialization errors:
   • tail -f /var/www/html/wp-content/debug.log
2. Database Verification: Check if the injected string was stored in wp_postmeta for the modal:
   • wp post meta list [POST_ID]
3. Code Execution (if POP chain exists): Verify the presence of a file created by a __destruct or __wakeup method.

9. Alternative Approaches

If the modal_popup_box_save_settings action is not the primary sink:

• Check Import Feature: Look for a "Import" button in the plugin settings. This often uses an import action that directly unserialize()s the uploaded file or textarea content.
• Action: modal_popup_box_import
• Parameter: import_file_content or mpb_import_data.
• Shortcode Attributes: If the plugin processes shortcode attributes via unserialize (less common but possible), try creating a post with a malicious shortcode: [modal-popup-box settings="O:8:..."].