Photo Contest | Competition | Video Contest <= 2.9.1 - Authenticated (Author+) PHP Object Injection

This research plan targets CVE-2026-0677, a PHP Object Injection vulnerability in the Photo Contest | Competition | Video Contest (totalcontest-lite) plugin.

---

1. Vulnerability Summary

The vulnerability arises from the insecure use of unserialize() on user-controlled input within the contest management or settings update functionality. Specifically, the plugin processes contest data, templates, or configuration blobs that are transmitted in a serialized format (often Base64-encoded) from the client-side editor to the server. Because the plugin does not adequately validate the structure of this data before passing it to unserialize(), an authenticated user with Author-level permissions can inject arbitrary PHP objects into the application scope.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: totalcontest_ajax (inferred) or a similar AJAX handler used for contest updates.
• Method: POST
• Vulnerable Parameter: data or settings (often inside a JSON or Base64-encoded structure).
• Authentication: Required (Author or higher). Authors have permission to create and manage their own contests in TotalContest Lite.
• Preconditions: The attacker must be logged in as an Author and have access to the "Contest" editor dashboard.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers an AJAX handler for authenticated users:
   add_action('wp_ajax_totalcontest_ajax', [...]);
2. Request Routing: The totalcontest_ajax handler uses a method or route parameter to delegate the request to a specific controller (e.g., ContestController).
3. Data Extraction: The controller retrieves the data parameter from $_POST.
4. Vulnerable Sink: The data is processed by a "Store" or "Model" class. In TotalContest architecture, complex settings are often stored as serialized strings in the wp_options or wp_postmeta tables. Before saving or during processing, the plugin calls:
   $decoded = maybe_unserialize(base64_decode($_POST['data']));
   OR
   $decoded = unserialize($raw_data);
5. Object Injection: If $raw_data contains a serialized object (e.g., O:8:"Exploit":0:{}), PHP will instantiate that class, triggering its __wakeup() or __destruct() magic methods if they exist in the environment.

4. Nonce Acquisition Strategy

TotalContest Lite utilizes a localization object to pass nonces to its Vue.js/React-based admin interface.

1. Shortcode Identification: The plugin's admin scripts are enqueued on pages where the contest editor is active.
2. Page Creation: Create a page that forces the plugin's admin context (though for Author+, simply accessing the existing Contest dashboard is usually sufficient).
3. Localization Key: The plugin typically localizes data under the global JavaScript variable totalcontest.
4. Extraction Command:
   Use browser_navigate to wp-admin/admin.php?page=totalcontest-contests.
   Then execute:
   browser_eval("window.totalcontest?.nonce") or browser_eval("window.totalcontest_config?.nonce").

5. Exploitation Strategy

The goal is to deliver a serialized payload via the contest update AJAX request.

Step-by-Step Plan:

1. Login: Authenticate as an Author.
2. Identify Target Action: Observe the network traffic when saving a contest. Look for a POST to admin-ajax.php with action=totalcontest_ajax.
3. Construct Payload:
   Since no internal POP chain is identified, use a generic "check" object to confirm injection or use a known WordPress core gadget (like WP_Theme for file existence checks if applicable).
   • Example Payload: O:8:"TestObject":0:{}
4. Base64 Encoding: The plugin usually expects data to be Base64-encoded.
   echo -n 'O:8:"TestObject":0:{}' | base64 -> Tzo4OiJUZXN0T2JqZWN0IowwOnt9
5. Send HTTP Request:

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Content-Type: application/x-www-form-urlencoded
   
   action=totalcontest_ajax&method=contest.update&nonce=[NONCE]&data=[BASE64_PAYLOAD]
   

   Note: The method might be contest.save or settings.update depending on the exact version and file structure.

6. Test Data Setup

1. User Creation:
   wp user create attacker attacker@example.com --role=author --user_pass=password
2. Contest Creation:
   wp post create --post_type=contest --post_title="VulnTest" --post_status=publish --post_author=[ATTACKER_ID]
3. Identify Nonce: Use the browser_eval method mentioned in Section 4 while viewing the "VulnTest" edit page.

7. Expected Results

• Confirmation of Deserialization: If an invalid class is injected (e.g., O:13:"NonExistent":0:{}), the server may return a 500 Internal Server Error if WP_DEBUG is on, or a specific PHP error regarding the failure to find the class.
• POP Chain Execution: If a gadget like GuzzleHttp\Cookie\CookieJar (common in many WP environments) is present, a successful exploit would result in the specific action defined by that gadget (e.g., arbitrary file write or SSRF).

8. Verification Steps

1. Logs: Check the WordPress debug log (wp-content/debug.log) for "complete" or "incomplete" object errors.
   grep "PHP Notice: unserialize(): Error at offset" wp-content/debug.log
2. Database Check: Verify if the injected string was stored in the database:
   wp db query "SELECT meta_value FROM wp_postmeta WHERE meta_key = '_totalcontest_settings'"
3. Tracing: Use a custom PHP snippet to log calls to unserialize() within the plugin directory to confirm the exact file and line number.

9. Alternative Approaches

• Template Import: TotalContest has a "Template" or "Preset" import feature. These often accept a raw string that is unserialized. Check for an AJAX action like totalcontest_import_template.
• Contest Export/Import: Check if the Author can "Import" a contest via a JSON/Serialized file upload or text area. This is a classic injection point for this plugin family.
• Request Method Parameter: If method=contest.update fails, try variations like method=store.update or method=options.save, as the plugin uses a modular routing system for its AJAX actions.