WpEvently <= 5.1.1 - Unauthenticated PHP Object Injection

This research plan outlines the steps to investigate and exploit CVE-2026-23549, an unauthenticated PHP Object Injection vulnerability in the WpEvently (Event Booking Manager for WooCommerce) plugin.

1. Vulnerability Summary

The vulnerability exists because the plugin passes unvalidated user input directly into the PHP unserialize() function. In PHP, deserializing untrusted data can lead to PHP Object Injection (POI). If a suitable "Property-Oriented Programming" (POP) chain exists in the environment (either within the plugin, another active plugin, or WordPress core), an attacker can execute arbitrary code, delete files, or bypass authentication.

The vulnerability is "unauthenticated," meaning it is likely reachable via a wp_ajax_nopriv_* action or a direct request to a frontend-accessible script that doesn't check for user sessions.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php (most likely) or a frontend hook like init.
• Action: Likely a wp_ajax_nopriv_ handler related to event booking, cart management, or attendee data.
• Parameter: A POST or GET parameter containing a serialized string (often Base64 encoded). Common names in such plugins include event_data, booking_info, cart_items, or attendee_list.
• Preconditions: The plugin must be active. No specific configuration is expected to be required for unauthenticated access.

3. Code Flow (Inferred)

Based on the vulnerability type, the execution flow is expected to be:

1. Entry Point: An unauthenticated user sends a request to admin-ajax.php?action=MAGE_EVENTPRESS_ACTION.
2. Hook Trigger: WordPress fires do_action('wp_ajax_nopriv_MAGE_EVENTPRESS_ACTION').
3. Handler Execution: The plugin's registered callback function (e.g., MageEventPress_Ajax::handle_request) is invoked.
4. Data Extraction: The handler retrieves data from $_POST['data'] or a similar parameter.
5. The Sink: The handler calls unserialize($data) or maybe_unserialize($data) without sufficient validation or using the allowed_classes => false option.

4. Nonce Acquisition Strategy

If the vulnerable AJAX action requires a nonce, it is likely exposed via wp_localize_script for use in the frontend booking forms.

Steps for the Agent:

1. Identify the Script/Nonce: Search for wp_localize_script in the plugin folder to find the JavaScript object name.
   • Grep command: grep -r "wp_localize_script" /var/www/html/wp-content/plugins/mage-eventpress/
2. Locate the Shortcode: Identify which shortcode enqueues this script. Look for add_shortcode in the codebase.
   • Example: [mage_event_booking] (inferred).
3. Setup Page: Create a public page containing the identified shortcode:
   • wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[SHORTCODE_NAME]'
4. Extract via Browser:
   • Navigate to the page.
   • Use browser_eval to find the nonce: browser_eval("window.mage_eventpress_params?.nonce") (Replace mage_eventpress_params with the actual variable found in step 1).

5. Exploitation Strategy

Once the sink and parameter are identified, follow these steps:

Step 1: Discover the Action and Sink
Search for unserialize calls that take user input:

grep -rn "unserialize" /var/www/html/wp-content/plugins/mage-eventpress/ | grep "POST\|GET\|REQUEST"

Step 2: Confirm Accessibility
Locate where the function containing the unserialize call is hooked. Verify if it uses wp_ajax_nopriv_.

Step 3: Construct Payload
Since no POP chain is specified in the vulnerability report, use a "benign" object injection to confirm the vulnerability. We can attempt to inject a core WordPress class like WP_Block_List or a simple stdClass to see if it triggers an error or different behavior compared to a non-serialized string.

• Test Payload (Base64 encoded stdClass): Tzo4OiJzdGRDbGFzcyI6MDp7fQ== (serializes to O:8:"stdClass":0:{})

Step 4: Execute HTTP Request

// Using http_request tool
{
  method: "POST",
  url: "http://localhost:8080/wp-admin/admin-ajax.php",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  data: "action=IDENTIFIED_ACTION&nonce=IDENTIFIED_NONCE&vulnerable_param=Tzo4OiJzdGRDbGFzcyI6MDp7fQ=="
}

6. Test Data Setup

1. Plugin Installation: Ensure mage-eventpress version 5.1.1 is installed and active.
2. Event Creation: Some AJAX actions might require a valid event ID. Create one via WP-CLI if needed:
   • wp post create --post_type=event --post_title="Test Event" --post_status=publish
3. Shortcode Page: Create a page with the booking shortcode (as described in section 4) to facilitate nonce extraction if necessary.

7. Expected Results

• Successful Injection: The server processes the request and returns a 200 OK. If the payload is malformed or targets a non-existent class, you might see a PHP Notice or Warning in the logs (wp-content/debug.log).
• Confirmation: If the plugin attempts to use the injected object, it may trigger a "method not found" error if we inject a class like stdClass. This error confirms that the string was indeed deserialized into an object.

8. Verification Steps

1. Check Logs: Use tail -f /var/www/html/wp-content/debug.log while sending the request. Look for:
   • PHP Notice: unserialize(): Error at offset... (if payload is slightly off)
   • PHP Fatal error: Uncaught Error: Call to undefined method stdClass::... (this is a strong indicator of successful injection).
2. Trace execution: Add a temporary error_log("Sink reached with: " . print_r($data, true)); before the unserialize call in the plugin code to verify the data arrives intact.

9. Alternative Approaches

• Base64 Variant: If raw serialization fails, try Base64 encoding the payload, as many plugins encode serialized objects to avoid character issues in HTTP parameters.
• Check for maybe_unserialize: If unserialize isn't found, search for maybe_unserialize. This function is a wrapper that will still call unserialize if the input is a valid serialized string.
• Search for GuzzleHttp or Requests chains: WordPress often includes libraries like Guzzle. If a POP chain is needed to prove impact, check for these libraries in vendor/ or core.