Mambo Importer PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Mambo Importer plugin for WordPress, affecting all versions through 1.0. The issue arises from the deserialization of untrusted data in the fImportMenu function, specifically through the $data parameter. This vulnerability allows authenticated attackers with Administrator-level access to inject PHP objects. However, without a known PHP Object Injection chain in the vulnerable software, the impact is limited unless another plugin or theme with a POP chain is installed. If such a chain is present, it could enable the attacker to delete files, access sensitive information, or execute code, depending on the specific POP chain available.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, allowing for the injection of PHP objects by authenticated attackers with Administrator privileges. The actual impact would depend on the presence of a PHP Object Injection chain in other installed plugins or themes.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator access can send a POST request to the WordPress site with the 'ss_action' parameter set to 'save'. The 'resultShowArticle' parameter must be included in the request, containing the serialized data that will be deserialized by the vulnerable function. This deserialization process can be exploited to inject a PHP object into the application.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.