Podlove Web Player <= 5.9.1 - Authenticated (Contributor+) PHP Object Injection
Description
The Podlove Web Player plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.9.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=5.9.1What Changed in the Fix
Changes introduced in v5.9.2
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-24385 - Podlove Web Player PHP Object Injection ## 1. Vulnerability Summary The **Podlove Web Player** plugin (up to 5.9.1) is vulnerable to **PHP Object Injection** via the `unserialize()` function. The vulnerability exists because the plugin retrieves media …
Show full research plan
Exploitation Research Plan: CVE-2026-24385 - Podlove Web Player PHP Object Injection
1. Vulnerability Summary
The Podlove Web Player plugin (up to 5.9.1) is vulnerable to PHP Object Injection via the unserialize() function. The vulnerability exists because the plugin retrieves media information from a post's enclosure custom field and passes the 4th line of that field directly into unserialize() without any validation or sanitization. An authenticated attacker with Contributor level permissions can create a post, set a malicious enclosure meta field, and trigger the injection by referencing that post in a shortcode.
2. Attack Vector Analysis
- Endpoint: Any page or post where the
[podlove-web-player]shortcode is rendered, or any REST API endpoint that fetches player data for a post. - Vulnerable Parameter: The 4th line (index 3) of the
enclosurepost meta field. - Authentication: Authenticated (Contributor+).
- Preconditions: The attacker must be able to create a post and set custom fields (standard Contributor capability).
3. Code Flow
- Entry Point: A user views a page containing the shortcode:
[podlove-web-player post="123"]. - Logic Trigger: The shortcode handler (likely in the core plugin class) identifies the
postattribute and invokes the data provider. - Vulnerable Method: The logic enters
Podlove_Web_Player_Embed_Data::post($postId)inincludes/class-podlove-web-player-embed-data.php. - Data Retrieval:
$customFields = get_post_custom($postId);(line 74) fetches all metadata for the specified post.$enclosure = explode("\n", $customFields['enclosure'][0]);(line 79) splits theenclosurefield by newlines.
- Sink:
$duration = unserialize($enclosure[3]);(line 85) executes. The 4th element of the exploded array is passed directly tounserialize().
- Processing: The code then attempts to access
$duration['duration'](line 89). If$durationis an injected object that does not implementArrayAccess, it will trigger a PHP Fatal Error, confirming the injection.
4. Nonce Acquisition Strategy
This vulnerability does not require a WordPress nonce for the following reasons:
- Shortcode Processing: Shortcodes are processed on the server-side during the
the_contentfilter execution when a page is rendered. There is no client-side nonce check for the initial rendering. - Stored Data: The payload is stored in the database as post metadata. The trigger is simply viewing the content that references that metadata.
- REST API (If used): If the player fetches data via REST, these data-providing endpoints for public posts typically do not require nonces for read-access to configuration.
5. Exploitation Strategy
The goal is to demonstrate that an arbitrary PHP object can be injected into the unserialize() call.
Step 1: Create the Payload Post (as Contributor)
The attacker creates a "Data Source" post and sets the enclosure meta field.
- Field Name:
enclosure - Field Value:
http://example.com/audio.mp3 1337 audio/mpeg O:8:"stdClass":1:{s:8:"duration";s:9:"HACKED-99";}
Step 2: Trigger the Vulnerability
The attacker creates a "Trigger" post (or uses the same one) containing the shortcode:[podlove-web-player post="DATA_SOURCE_POST_ID"]
Step 3: View the Trigger Post
The attacker navigates to the URL of the Trigger post.
6. Test Data Setup
Use WP-CLI to set up the environment efficiently:
Create a Contributor user:
wp user create attacker attacker@example.com --role=contributor --user_pass=passwordCreate the Data Source post (ID will be captured):
SOURCE_ID=$(wp post create --post_type=post --post_title='Data Source' --post_status=publish --porcelain)Set the Malicious Meta:
Note: Theenclosurefield requires specific newline formatting.wp post meta set $SOURCE_ID enclosure "http://example.com/audio.mp3 1337 audio/mpeg O:8:\"stdClass\":1:{s:8:\"duration\";s:9:\"HACKED-99\";}"Create the Trigger post:
wp post create --post_type=post --post_title='Player Page' --post_content="[podlove-web-player post='$SOURCE_ID']" --post_status=publish
7. Expected Results
- Success Indicator (Object Injection): When viewing the Trigger post, the server should return a 500 Internal Server Error or a PHP Fatal Error:
Fatal error: Uncaught Error: Cannot use object of type stdClass as array in .../includes/class-podlove-web-player-embed-data.php:89. This confirms the string was successfully deserialized into an object. - Success Indicator (Control Case - Array Injection): If the payload is changed to a serialized array
a:1:{s:8:"duration";s:9:"HACKED-99";}, the player on the page (viewing the HTML source) should contain the string"duration":"HACKED-99".
8. Verification Steps
After performing the HTTP request to the trigger post, check the PHP error logs:docker logs wordpress 2>&1 | grep "stdClass as array"
If the log contains:
`PHP Fatal error: Uncaught Error: Cannot use object of type stdClass as array in /var/www/html/wp-content/plugins/podlove-web-player/includes/class-pod
Summary
The Podlove Web Player plugin is vulnerable to PHP Object Injection via the unserialize() function when processing the 'enclosure' custom field of a post. Authenticated attackers with Contributor-level permissions can exploit this by crafting a malicious post meta value and triggering its processing via the plugin's shortcode.
Vulnerable Code
// includes/class-podlove-web-player-embed-data.php:82 $enclosure = explode("\n", $customFields['enclosure'][0]); $url = $enclosure[0]; $fileSize = $enclosure[1]; $mimeType = $enclosure[2]; $duration = unserialize($enclosure[3]); return array( 'title' => $post->post_title, 'duration' => $duration['duration'],
Security Fix
@@ -70,7 +70,7 @@ $fileSize = $enclosure[1]; $mimeType = $enclosure[2]; - $duration = unserialize($enclosure[3]); + $duration = json_decode($enclosure[3], true); return array( 'title' => $post->post_title,
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level access or higher first creates or edits a WordPress post. They add or update a custom field named 'enclosure' with a value containing four lines of text separated by newlines. The fourth line (index 3) is populated with a serialized PHP object payload. The attacker then ensures a page exists containing the [podlove-web-player post="ID"] shortcode, where 'ID' refers to the post they modified. When any user (including the attacker or an administrator) views the page with that shortcode, the plugin fetches the custom meta field, splits it by newlines, and passes the fourth line directly into unserialize(), triggering the object injection. If a suitable POP chain is available on the site, this can lead to remote code execution or file manipulation.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.