WordPress Export All Posts, Products, Orders, Refunds & Users Plugin Unauthenticated PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WordPress Export All Posts, Products, Orders, Refunds & Users plugin, affecting all versions through 2.13. The vulnerability arises from the deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function, allowing unauthenticated attackers to inject PHP objects. While no known payload chain exists within the vulnerable plugin, the vulnerability could be exploited if another plugin or theme with a payload chain is active, potentially leading to actions such as file deletion, sensitive data exposure, or code execution, depending on the nature of the payload chain.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, allowing attackers to inject objects that could be exploited if a suitable payload chain is available through another plugin or theme.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with the 'returnMetaValueAsCustomerInput' function. This can be done by exploiting the 'wp_ajax_parse_data' action, which is available to unauthenticated users. The request must include the 'query_data' parameter, which can be crafted to include the serialized PHP object payload.

Remediation

Users are advised to update the Export All Posts, Products, Orders, Refunds & Users plugin to version 2.14 or later.