Exploit for WordPress Modal 1.5.8 Code Execution / Denial of Service

Name: Exploit for WordPress Modal 1.5.8 Code Execution / Denial of Service
Rating: 5 (58 reviews)
2025-03-26 | CVSS 8.4
## https://sploitus.com/exploit?id=PACKETSTORM:190045
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
     .:. Exploit Title > Wordpress Modal Popup Box Plugin - Multiple Vulnerabilities
    .:. Date: March 25, 2025
    .:. Exploit Author: bRpsd
    .:. Contact: cy[at]live.no
    .:. Plugin -> https://wordpress.org/plugins/modal-popup-box/
    .:. Product Version -> [1.5.8 and below]
    .:. DBMS -> MySQL
    .:. Tested on > macOS [*nix Darwin Kernel], on local xampp
    .:. Severity: High
    .:. Requires Admin+ Authentication
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    
    
    Description:
    The Modal Popup Box plugin for WordPress is vulnerable to a PHP Object Injection attack due to the unsafe use of the unserialize() function on user-controlled data. This vulnerability allows an attacker to inject a serialized PHP object into the plugin's data processing flow, potentially leading to remote code execution (RCE), data manipulation, or denial of service (DoS)
    
    
    The vulnerability is located in the modal-popup-box.php file, where the plugin retrieves and processes serialized data from the WordPress post meta.
    The following code snippet demonstrates the vulnerable section:
    ====================================================================================
    $encodedData = get_post_meta($modal_popup_box_id, 'awl_mpb_settings_' . $modal_popup_box_id, true);
    $decodedData = base64_decode($encodedData);
    if (is_mpb_serialized($decodedData)) {
        $modal_popup_box_settings = unserialize($decodedData);
    }
    ====================================================================================
    
    Exploitation:
    An attacker can exploit this vulnerability by crafting a serialized PHP object with a magic method (e.g., __destruct) that executes arbitrary code. The payload can be injected into the post meta data through form submissions.
    
    For example form vulnerable parameter with payload: mpb_main_button_text=O:14:"MaliciousClass":0:{}
    
    Impact:
    - Remote Code Execution (RCE): Execute arbitrary PHP code on the server.
    - Data Manipulation: Alter plugin settings or other data stored in the database.
    - Denial of Service (DoS): Cause the application to crash or become unresponsive
    
    Mitigation:
    - Avoid using unserialize() on untrusted data.
    - Use JSON for data serialization and deserialization.
    - Implement strict input validation and sanitization.
    - Update the plugin to the latest version once a patch is available
    
    Proof of Concept:
    1- Inject the serialized payload into a form field that is stored in the database and later unserialized
    
    2-Trigger the vulnerability by accessing the modal settings, which will execute the injected payload.
    
    
    Vulnerability 2: DoS
    attempting to include [MPBOX id=] shortcode into any posts or pages causes denial of service for some reason.