Hi @complexz,
We don’t know any known issue.
If you find something please send as to
[email protected] and we will be happy to see it
Hi again.
This is from Jetpack:
“The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.”
CVE-2023-3392
OBJECT INJECTION
A8: Insecure Deserialization
CWE-502
Original Researcher: Do Xuan Trung
1e733ccf-8026-4831-9863-e505c2aecba6
https://wpscan.com/vulnerability/1e733ccf-8026-4831-9863-e505c2aecba6
Dear @complexz,@bcolflesh,
Thank you for the message, but if you are together is it possible please write in one message.
Second.
From your messages it’s not clear what’s wrong? Could you please provide more detailed information? in which file which line(s) are wrong.
You could also directly send me detailed information, i will be happy to fix them, but i could not understand your messages.
The link explains exactly what wrong, they are trying to help you by not disclosing the exact code – they must have been contacting you, trying to get you to fix this.
You need to fix this ASAP before you are removed from the plugin repo.
Dear @bcolflesh,
I am happy to fix them asap, but could you please help understand where i could see what is wrong?
In this link
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/expand-maker/read-more-accordion-322-authenticated-administrator-php-object-injection
I could not find what they found? could you i expect to show in which fine what is wrong.
Does this show that information and where i could see that?
If you click on the original reporting link there:
https://wpscan.com/vulnerability/1e733ccf-8026-4831-9863-e505c2aecba6
“The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.”
You have to sanitize input to prevent PHP Object Injection.
If you email [email protected] maybe they can put you in touch with Dao Xuan Hieu before he publishes the PoC on Saturday.
Dear @bcolflesh,
How you generate that link? How can I also generate that?
Could you please let me know what it means PoC?
I need to understand how can i check my changes?
Dear @complexz, @bcolflesh
We did plugin update could you please check and let me know does it ok now?
