WordPress User Frontend Plugin Deserialization Vulnerability Allowing Arbitrary Object Injection

A vulnerability allowing deserialization of untrusted data has been identified in the User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress. This issue affects versions through 4.3.1. The vulnerability arises from inadequate input validation and type checking on the 'wpuf_files' parameter during form submissions. This flaw enables authenticated attackers with Subscriber-level access or higher to inject arbitrary PHP objects. If a suitable property-oriented programming (POP) chain exists on the target system, this could be exploited to execute arbitrary code, delete files, or carry out other malicious actions.

Impact

Exploitation of this vulnerability could lead to arbitrary object injection, with potential for executing arbitrary code, deleting files, or other malicious actions, depending on the presence of a POP chain on the target system.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can submit a form using the 'wpuf_files' parameter. The submission will bypass input validation and type checks, allowing the injection of malicious PHP objects. If the target system has a POP chain, this could be exploited to execute code or delete files.

Remediation

Users are advised to update to version 4.3.2 or later, where this vulnerability has been addressed.