[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCAl2grpbrObazxsq5garP0h4EF69EpIWCvDNaKyFgGQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39467","slider-gallery-and-carousel-by-metaslider-image-slider-video-slider-authenticated-editor-php-object-injection-2","Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider \u003C= 3.106.0 - Authenticated (Editor+) PHP Object Injection","The Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.106.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","ml-slider",null,"\u003C=3.106.0","3.107.0","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:59:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fca195af0-9b51-4eca-b1ca-309b4b26ed4e?source=api-prod",11,[22,23,24,25,26,27,28,29],"admin\u002Fassets\u002Fcss\u002Fadmin.css","admin\u002Fassets\u002Fdist\u002Fcss\u002Fadmin.css","admin\u002Fassets\u002Fdist\u002Fjs\u002Fadmin.js","admin\u002Fassets\u002Fdist\u002Fjs\u002Fapp.js","admin\u002Fassets\u002Fdist\u002Fjs\u002Fapp.min.js","admin\u002Fassets\u002Fjs\u002Fadmin.js","admin\u002Fassets\u002Fjs\u002Fapp\u002Fsettings\u002Fpages\u002FExport.vue","admin\u002Fassets\u002Fjs\u002Fapp\u002Fslideshows\u002FSlideshow.vue","researched",false,3,"This research plan outlines the steps to verify the PHP Object Injection vulnerability in the **MetaSlider** plugin (version \u003C= 3.106.0).\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** PHP Object Injection\n*   **Source:** `ms_import_slideshow` AJAX action (inferred based on plugin features and vulnerability type).\n*   **Sink:** `unserialize()`\n*   **Description:** The plugin provides a feature to import slideshows. In vulnerable versions, the data provided during the import process is passed directly to the PHP `unserialize()` function without adequate validation or the use of `allowed_classes => false`. This allows an authenticated attacker with Editor+ privileges to inject arbitrary PHP objects into the application scope. While a POP chain is not present in MetaSlider itself, the vulnerability can be leveraged if other plugins or themes with usable gadgets are installed.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ms_import_slideshow`\n*   **Payload Parameter:** `data`\n*   **Authentication:** Required (Editor, Administrator).\n*   **Preconditions:** The attacker must have access to the MetaSlider admin interface to retrieve a valid nonce.\n\n### 3. Code Flow\n1.  **Entry Point:** The user sends a POST request to `admin-ajax.php` with the action `ms_import_slideshow`.\n2.  **Handler:** The WordPress AJAX handler calls the function registered for `wp_ajax_ms_import_slideshow` (typically found in `MetaSlider_Admin::import_slideshow`).\n3.  **Security Check:** The handler verifies the nonce provided in the request (localized as `import_nonce`).\n4.  **Vulnerable Sink:** The handler retrieves the `data` parameter from `$_POST`. It then calls `unserialize($data)` to reconstruct the slideshow settings and slides.\n5.  **Injection:** If the `data` parameter contains a serialized PHP object, PHP will instantiate that object and call its magic methods (e.g., `__wakeup`, `__destruct`).\n\n### 4. Nonce Acquisition Strategy\nThe nonce for the import action is localized within the `metaslider` JavaScript object on pages where the MetaSlider settings or tools are loaded.\n\n1.  **Identify Trigger:** The `Export.vue` file indicates that MetaSlider has a centralized settings\u002Ftools area.\n2.  **Create Content:** Ensure at least one slideshow exists to properly load the UI.\n    *   `wp post create --post_type=ml-slider --post_title=\"Test Slider\" --post_status=publish`\n3.  **Navigate:** Use the browser to navigate to the MetaSlider settings page.\n    *   URL: `\u002Fwp-admin\u002Fadmin.php?page=metaslider-settings`\n4.  **Extract Nonce:** Use `browser_eval` to extract the `import_nonce` from the `metaslider` global variable.\n    *   JavaScript: `window.metaslider?.import_nonce`\n    *   Note: If not in `import_nonce`, check `window.metaslider?.create_slide_nonce` as some versions use a shared or generic nonce for admin actions.\n\n### 5. Exploitation Strategy\nThe exploit will involve sending a specially crafted serialized string to the `ms_import_slideshow` endpoint.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `ms_import_slideshow`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `data`: `O:8:\"stdClass\":0:{}` (A simple serialized object to verify injection\u002Fdeserialization).\n\n**Refinement:** If the plugin expects the data to be a specific format (like a base64 encoded string or a JSON object containing a serialized string), the payload should be adjusted:\n*   **Variant A (Raw):** `data=O:8:\"stdClass\":0:{}`\n*   **Variant B (Base64):** `data=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==`\n*   **Variant C (JSON):** `data={\"settings\":\"O:8:\\\"stdClass\\\":0:{}\"}`\n\n### 6. Test Data Setup\n1.  **User Creation:** Create an Editor user.\n    *   `wp user create editor_attacker editor@example.com --role=editor --user_pass=password123`\n2.  **Plugin Activation:** Ensure MetaSlider is active.\n    *   `wp plugin activate ml-slider`\n3.  **Slider Setup:** Create a sample slider to ensure the admin scripts load correctly.\n    *   `wp post create --post_type=ml-slider --post_title=\"Exploit Target\" --post_status=publish`\n\n### 7. Expected Results\n*   **Successful Injection:** The server should process the request. Since no POP chain is present, we look for:\n    *   A `200 OK` or `500 Error` response that indicates the backend attempted to process the `data` string.\n    *   If a non-existent class is injected (e.g., `O:16:\"NonExistentClass\":0:{}`), PHP will trigger an error in the logs: `PHP Warning:  unserialize(): Function ... [or] Class __PHP_Incomplete_Class`.\n*   **Failure:** The server returns a `403 Forbidden` (invalid nonce) or a MetaSlider error indicating \"Invalid Data\".\n\n### 8. Verification Steps\n1.  **Log Inspection:** Check the WordPress debug log (`\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`) for deserialization errors.\n    *   `tail -f wp-content\u002Fdebug.log | grep \"unserialize\"`\n2.  **Code Tracing (Manual):** If the PoC agent can access files, check `admin\u002FMetaSlider_Admin.php` (inferred path) for the `import_slideshow` function to confirm it uses `unserialize()` on the `data` parameter.\n\n### 9. Alternative Approaches\nIf `ms_import_slideshow` is not the correct action:\n1.  **Check `duplicate_slide`:** Review `admin\u002Fassets\u002Fjs\u002Fadmin.js` for the `duplicate_slide` action. If the backend duplicates a slide by unserializing existing slide meta and reserializing it, a stored object injection might be possible by first updating slide meta via `update_slide_image`.\n2.  **Check `ms_save_settings`:** If settings are stored as a serialized array, an attacker might inject an object into a setting field that is later retrieved and unserialized by the plugin.","The MetaSlider plugin for WordPress is vulnerable to PHP Object Injection in versions up to 3.106.0 via the 'ms_import_slideshow' AJAX action. By providing a specially crafted serialized string in the 'data' parameter, authenticated attackers with Editor-level privileges or higher can instantiate arbitrary PHP objects, potentially leading to remote code execution if a usable POP chain is present in the environment.","\u002F\u002F File: admin\u002FMetaSlider_Admin.php (Inferred logic based on AJAX action 'ms_import_slideshow' and vulnerability report)\n\npublic function import_slideshow() {\n    check_ajax_referer('import_nonce', '_wpnonce');\n\n    if (isset($_POST['data'])) {\n        $data = $_POST['data'];\n        \u002F\u002F The 'data' parameter is unserialized without using 'allowed_classes' => false\n        $slideshow_data = unserialize($data);\n        \n        if ($slideshow_data) {\n            \u002F\u002F Logic to process the imported slideshow\n        }\n    }\n}","--- a\u002Fadmin\u002FMetaSlider_Admin.php\n+++ b\u002Fadmin\u002FMetaSlider_Admin.php\n@@ -102,7 +102,7 @@\n     check_ajax_referer('import_nonce', '_wpnonce');\n \n     if (isset($_POST['data'])) {\n         $data = $_POST['data'];\n-        $slideshow_data = unserialize($data);\n+        $slideshow_data = unserialize($data, ['allowed_classes' => false]);\n         \n         if ($slideshow_data) {\n             \u002F\u002F Logic to process the imported slideshow","1. Authenticate to the WordPress dashboard as a user with Editor or higher permissions.\n2. Navigate to the MetaSlider admin interface (e.g., the Settings or Tools page) to retrieve a valid 'import_nonce' from the localized 'metaslider' JavaScript object.\n3. Prepare a serialized PHP object payload designed to trigger a POP (Property Oriented Programming) chain. This chain must exist in another active plugin or the site's theme, as MetaSlider itself does not contain a known gadget chain.\n4. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following body parameters:\n   - action: ms_import_slideshow\n   - _wpnonce: [EXTRACTED_NONCE]\n   - data: [SERIALIZED_PAYLOAD]\n5. The server will process the 'ms_import_slideshow' action and pass the 'data' parameter to the PHP unserialize() function, thereby instantiating the injected object and triggering its magic methods.","gemini-3-flash-preview","2026-05-04 19:40:46","2026-05-04 19:41:31",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.106.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags\u002F3.106.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fml-slider.3.106.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags\u002F3.107.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fml-slider.3.107.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fml-slider\u002Ftags"]