[POC] CVE-2024-24842 - Unauthenticated PHP Object Injection in plugin Knowledge Base

# [[CVE-2024-24842](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/echo-knowledge-base/knowledge-base-for-documentation-faqs-with-ai-assistance-11302-unauthenticated-php-object-injection-in-is-article-recently-viewed)] Unauthenticated PHP Object Injection in plugin Knowledge Base for Documentation, FAQs with AI Assistance <= 11.30.2 :::info :bulb: [Knowledge Base for Documentation, FAQs with AI Assistance plugin - Unauthenticated PHP Object Injection](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/echo-knowledge-base/knowledge-base-for-documentation-faqs-with-ai-assistance-11302-unauthenticated-php-object-injection-in-is-article-recently-viewed) ::: ## ✋ Table of content 1. About Knowledge Base for Documentation, FAQs with AI Assistance plugin 2. The security vulnerability 3. The patch 4. Conclusion This blog post is about the **Knowledge Base for Documentation, FAQs with AI Assistance** plugin vulnerability. If you're using this plugin, please update the plugin to at least version **11.31.0**. ## About Knowledge Base for Documentation, FAQs with AI Assistance plugin The plugin **Knowledge Base for Documentation, FAQs with AI Assistance** (versions 11.30.2 and below), which is estimated to have over 10,000 active installations. ![image](https://hackmd.io/_uploads/ByRu7vcip.png) This **Knowledge Base** plugin is a powerful documentation tool that helps you create and organize your documentation, FAQs, and articles. ## 💣 The security vulnerability The **Knowledge Base for Documentation, FAQs with AI Assistance** plugin has been identified with an unauthenticated PHP Object Injection vulnerability. This vulnerability arises when user-input data is not adequately sanitized before being transmitted to the maybe_unserialize function, which serves as a wrapper for PHP's **unserialize** function. Due to PHP's capability to serialize objects, an unauthorized user could supply customized serialized strings to an exploitable **unserialize** call, leading to the injection of arbitrary PHP object(s) into the application scope. This specific vulnerability was addressed in version **11.31.0** and assigned the identifier **[CVE-2024-24842](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/echo-knowledge-base/knowledge-base-for-documentation-faqs-with-ai-assistance-11302-unauthenticated-php-object-injection-in-is-article-recently-viewed)**. ![image](https://hackmd.io/_uploads/HJ2a7Cxn6.png) The root cause of the vulnerability lies within the **is_article_recently_viewed** function: ![image](https://hackmd.io/_uploads/HkYLaplnT.png) The **is_article_recently_viewed** function is invoked within the **maybe_increase_article_count** function to check if a user has recently viewed the article. Simultaneously, the **maybe_increase_article_count** function is called from the **process_article_count** function. However, the **process_article_count** function is invoked through the action **epkb_count_article_view**. ![image](https://hackmd.io/_uploads/ByFJ1Cx2p.png) In the context of WordPress, if the prefixed action **wp_ajax_nopriv** is declared, this action can be invoked by unauthenticated user. ![image](https://hackmd.io/_uploads/SyzzkAl36.png) Consequently, this allows an unauthenticated attacker to exploit the PHP Object Injection vulnerability through the following sequence of functions: Invoke the action **epkb_count_article_view** to trigger the **process_article_count** function > **maybe_increase_article_count** > **is_article_recently_viewed** > **maybe_unserialize** > trigger chain By sending a request to trigger the **epkb_count_article_view** action with the **epkb_article_views_counter** cookie containing a serialized payload, it becomes possible to inject code effortlessly. ![image](https://hackmd.io/_uploads/rJNd-0lha.png) To obtain the nonce value to insert into the request, you can send request like this one: ![image](https://hackmd.io/_uploads/BJeA-Cl2p.png) ## :dart: The patch Since the issue is mainly because the plugin uses the unsafe **maybe_unserialize** function, replacing the function should be enough to fix the issue. In this case, the vendor decided to use the JSON format to process the **$_COOKIE['epkb_article_views_counter']** data. The patch can be seen below: ![image](https://hackmd.io/_uploads/HJ9_f0xnp.png) ## Conclusion The **maybe_unserialize** function is a wrapper for PHP unserialize function which is one of the more sensitive processes that could lead to a security issue. In general, I am solely focused on searching for similar functions to identify multiple vulnerabilities like this one.