Research Plan: CVE-2026-23798 - PowerPress Podcasting Object Injection

1. Vulnerability Summary

The PowerPress Podcasting plugin (<= 11.15.10) contains a PHP Object Injection vulnerability accessible to users with Contributor-level permissions or higher. The vulnerability exists because the plugin passes user-controlled metadata through the unserialize() function (or a wrapper) during the post-saving process or through an AJAX-based metadata update.

While no built-in POP (Property-Oriented Programming) chain is identified within PowerPress itself, the vulnerability can be leveraged if other plugins or themes with usable POP chains are installed.

2. Attack Vector Analysis

• Endpoint: POST /wp-admin/post.php (standard post save) or POST /wp-admin/admin-ajax.php.
• Action: editpost (standard) or powerpress_save_episode (AJAX).
• Vulnerable Parameter: PowerPress[...] array elements, likely PowerPress[itunes_image] or a hidden metadata field like powerpress_episode_data.
• Authentication: Required (Contributor+).
• Preconditions: The PowerPress "Episode" meta box must be active on the post type (usually post).

3. Code Flow

1. A Contributor user initiates a post save or an episode metadata update.
2. The powerpress_save_settings function or the save_post hook handler (e.g., powerpressadmin_post_save) is triggered.
3. The plugin processes the $_POST['PowerPress'] array.
4. In powerpressadmin-metabox.php or powerpressadmin-auth.php, the plugin encounters a field intended to store complex attributes (like iTunes metadata or media info).
5. The plugin calls unserialize() on a specific string value from the PowerPress array before merging it into the global settings or storing it in the _enclosure meta field.
6. Sink: unserialize($user_input).

4. Nonce Acquisition Strategy

PowerPress secures its meta box operations with nonces. To perform the exploit, we must obtain a valid nonce generated for the current session.

1. Identify Nonce: The plugin typically uses _powerpress_meta_nonce for metadata operations.
2. Target Page: The nonce is rendered on the "Add New Post" page (/wp-admin/post-new.php).
3. Extraction:
   • Navigate to /wp-admin/post-new.php as a Contributor.
   • The nonce is usually localized in the powerpress_admin JS object or as a hidden input field.
   • JavaScript Variable: window.powerpress_admin?.nonce (inferred).
   • Hidden Field: id="_powerpress_meta_nonce".

Execution Step:

// Use browser_eval to extract the nonce
const nonce = document.querySelector('#_powerpress_meta_nonce')?.value;
return nonce;

5. Exploitation Strategy

We will attempt to trigger the deserialization by submitting a post save request containing a serialized object in the PowerPress parameters.

Step-by-Step Plan:

1. Authentication: Log in to the WordPress instance as a Contributor.
2. Creation: Create a draft post to obtain a post_ID.
3. Nonce Extraction: Access the edit page of the draft post and extract _powerpress_meta_nonce.
4. Payload Preparation: Generate a simple PHP serialized object. Since no POP chain is confirmed, use a dummy object to confirm deserialization (e.g., O:8:"stdClass":0:{}).
5. HTTP Request:
   • Tool: http_request
   • URL: https://<target>/wp-admin/post.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     action=editpost
     &post_ID=<ID>
     &_powerpress_meta_nonce=<NONCE>
     &PowerPress[itunes_image]=O:8:"stdClass":0:{}
     &PowerPress[feed_slug]=podcast
     

   • Note: The exact key inside the PowerPress array may vary. If itunes_image fails, try import_podcast or powerpress_episode_save.

6. Test Data Setup

1. User: Create a user with the contributor role.
2. Post: Create a draft post titled "Exploit Test" using wp post create.
3. Plugin Config: Ensure PowerPress is active and the "Episode" meta box is visible (default).

7. Expected Results

• The server should process the request without an immediate 403 (verifying the nonce works).
• If the injection point is correct, PHP will attempt to deserialize the string.
• Verification of Injection: If an error-based approach is needed, provide an invalid serialized string like O:8:"stdClass":1:{s:3:"abc";} (missing closing brace) and check the PHP error logs for "unserialize(): Error at offset...".

8. Verification Steps

After sending the request, verify if the object was injected:

1. Check Meta: Use WP-CLI to check the _enclosure or itunes_metadata meta for the post.

   wp post meta get <post_id> _enclosure
   

2. Audit Logs: Check the wp-content/debug.log (if enabled) for deserialization errors.
3. Database Check: Check the wp_postmeta table for the serialized string.

9. Alternative Approaches

If the standard post.php path is blocked:

• AJAX Path: Target wp-admin/admin-ajax.php with action=powerpress_save_episode.
• Specific Meta Field: Focus on the "Media URL" field. In some versions, the plugin attempts to fetch and "unserialize" metadata cached for specific media URLs.
• Taxonomy Path: If the contributor has permissions to edit categories, target the powerpress_taxonomy settings which are often processed through powerpress_save_settings.

Search Queries for Source Review (if accessible by agent):

grep -rn "unserialize" wp-content/plugins/powerpress/ | grep "_POST"
grep -rn "maybe_unserialize" wp-content/plugins/powerpress/admin/
grep -rn "_powerpress_meta_nonce" wp-content/plugins/powerpress/