Coupon X WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups plugin for WordPress, affecting all versions through 1.3.5. The vulnerability arises from the deserialization of untrusted input in post content, which is sent to the capture_email AJAX action. This flaw allows authenticated attackers with Contributor-level access and above to inject PHP objects. While the vulnerable plugin does not have a known proof of concept chain, such a chain could potentially exist through an additional plugin or theme, allowing the attacker to delete files, access sensitive information, or execute code.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, allowing for potential execution of malicious code, deletion of files, or access to sensitive data, depending on the presence of a suitable proof of concept chain.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a POST request to the 'capture_email' AJAX action. The request must include deserialized data in the 'post_content' that can be exploited for PHP Object Injection.

Remediation

Users are advised to update the Coupon X WordPress plugin to version 1.3.6 or later.