JoomSport < 5.1.8 - Unauthenticated PHP Object Injection

Vulnerability

The JoomSport WordPress plugin before version 5.1.8 contains a PHP Object Injection vulnerability in the joomsport_md_load AJAX action. This action is accessible to unauthenticated users and unsafely unserializes the shattr POST parameter without proper sanitization. The plugin itself lacks a suitable gadget chain for exploitation, but other installed plugins may provide one.

Exploitation

An unauthenticated attacker can exploit this by sending a POST request to the WordPress AJAX endpoint with the action parameter set to joomsport_md_load and a crafted serialized PHP object in the shattr parameter. The unserialize call will then instantiate arbitrary objects if the serialized data matches a class defined in the site.

Impact

Successful exploitation allows PHP object injection. While the JoomSport plugin does not contain a gadget chain for remote code execution, the attacker may leverage classes from other installed plugins or the WordPress core to achieve arbitrary code execution, file manipulation, or other malicious outcomes, depending on the available gadgets.

Mitigation

The vulnerability is fixed in version 5.1.8 of the JoomSport plugin. Users should update to this version or later immediately. No alternative workarounds are provided in the reference [1].